public inbox for [email protected]
help / color / mirror / Atom feed.deb signing key insecure against MitM
2+ messages / 2 participants
[nested] [flat]
* .deb signing key insecure against MitM
@ 2016-03-07 15:03 Thomas Mayer <[email protected]>
2016-03-07 15:06 ` Re: .deb signing key insecure against MitM Magnus Hagander <[email protected]>
0 siblings, 1 reply; 2+ messages in thread
From: Thomas Mayer @ 2016-03-07 15:03 UTC (permalink / raw)
To: pgsql-docs
I just visited http://www.postgresql.org/download/linux/debian/ and my
impression is that the way the signing key is published is not secured
against wrong origin or manipulation by a man in the middle (MitM) attacker.
Meaning, that if a MitM attacker can compromise downloads, he or she is
also able to compromise the documentation site including the source of
the signing key, e.g. by publishing the attacker's signing key to the
user. Debian's apt-get will not complain if everything fits together.
Therefore, I suggest that the whole page should be TLS secured
(HTTPS-only), not because of encryption but to ensure origin and
integrity of the signing key.
It is not sufficient to have the signing key itself TLS-secured, because
the documented hyperlink
https://www.postgresql.org/media/keys/ACCC4CF8.asc
could easily be manipulated by the MitM as well.
I also suggest to go through the documentation to find similar occurences.
Last, but not least, people might also tend to copy-paste some bash
commands which offers additional possibilities for MitM to let users
install malicious software with root permissions. In the long-run, I
suggest to go for a HTTPS-only strategy with PostgreSQL's documentation
(all of it).
Related, but securing the download:
http://www.postgresql.org/message-id/flat/[email protected]#1455875336.9107.60.cam...
Note that the apt repository (including the downloadable packages) does
not have to be TLS-secured as long as the package signing mechanism
works well. Still, the additional security might not be harmful for most
users.
Best regards
Thomas Mayer
--
https://www.2bis10.de
--
Sent via pgsql-docs mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-docs
^ permalink raw reply [nested|flat] 2+ messages in thread
* Re: .deb signing key insecure against MitM
2016-03-07 15:03 .deb signing key insecure against MitM Thomas Mayer <[email protected]>
@ 2016-03-07 15:06 ` Magnus Hagander <[email protected]>
0 siblings, 0 replies; 2+ messages in thread
From: Magnus Hagander @ 2016-03-07 15:06 UTC (permalink / raw)
To: Thomas Mayer <[email protected]>; +Cc: pgsql-docs
On Mon, Mar 7, 2016 at 4:03 PM, Thomas Mayer <[email protected]>
wrote:
> I just visited http://www.postgresql.org/download/linux/debian/ and my
> impression is that the way the signing key is published is not secured
> against wrong origin or manipulation by a man in the middle (MitM) attacker.
>
> Meaning, that if a MitM attacker can compromise downloads, he or she is
> also able to compromise the documentation site including the source of the
> signing key, e.g. by publishing the attacker's signing key to the user.
> Debian's apt-get will not complain if everything fits together.
>
> Therefore, I suggest that the whole page should be TLS secured
> (HTTPS-only), not because of encryption but to ensure origin and integrity
> of the signing key.
>
Work is under way to make the entire website available under https only.
It's blocked behind some other work at this point, but once we get there,
it should make this situation a lot better.
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
^ permalink raw reply [nested|flat] 2+ messages in thread
end of thread, other threads:[~2016-03-07 15:06 UTC | newest]
Thread overview: 2+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2016-03-07 15:03 .deb signing key insecure against MitM Thomas Mayer <[email protected]>
2016-03-07 15:06 ` Magnus Hagander <[email protected]>
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox