Insecure download

15 replies [Last post]
lamefun
Offline
Joined: 12/01/2014

Trisquel page is available over HTTPS, yet:

The download itself is over plain HTTP, ie. http(!)://cdimage.trisquel.info/trisquel-images/trisquel_7.0_amd64.iso.torrent

MD5: http(!)://cdimage.trisquel.info/trisquel-images/trisquel_7.0_amd64.iso.torrent.md5
GPG: http(!)://cdimage.trisquel.info/trisquel-images/trisquel_7.0_amd64.iso.torrent.asc

I thought hardcore free software proponents are also care very much about security...

Also, there are no instructions on how to use them. Shouldn't a security-conscious free software distribution also try to teach their users how to keep themselves secure?

lamefun
Offline
Joined: 12/01/2014

MD5 is completely useless if you don't get it from a trusted source.
GPG signature is only useful if you have already gotten the public key to verify it against, again from a trusted source.
pgp.mit.edu can get a key by its fingerprint, but it's only useful, again, if you got the fingerprint from a trusted source, since anyone can upload their keys.

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

Didn't notice that. It IS a serious security issue. point.

oysterboy

I am a member!

I am a translator!

Offline
Joined: 02/01/2011

Is it really? What would a https download be good for if the Trisquel server is hacked and another iso replaces the good one? https "only" ensures that the traffic between the client and the server is encrypted - it does not ensure the integrity of the data. Can you please explain what you feel the problem is, and why an https connexion would solve it?

I notice that Debian has the same "problem":

http://cdimage.debian.org/debian-cd/7.7.0/amd64/iso-cd/debian-7.7.0-amd64-netinst.iso

for instance.

oysterboy

I am a member!

I am a translator!

Offline
Joined: 02/01/2011

Or are you concerned about a MITM attack?

andrew
Offline
Joined: 04/19/2012

mtlben wrote:
> Is it really? What would a https download be good for if the
> Trisquel server is hacked and another iso replaces the good one?
> https "only" ensures that the traffic between the client and the
> server is encrypted - it does not ensure the integrity of the data.

Actually HTTPS does ensure the integrity of data across the connection,
using a keyed message authentication code:

https://en.wikipedia.org/wiki/Transport_Layer_Security#Data_integrity

Andrew

oysterboy

I am a member!

I am a translator!

Offline
Joined: 02/01/2011

Thank you - I stand corrected.

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

precisely that - man in the middle. it doesn't happen often, but it can.

lamefun
Offline
Joined: 12/01/2014

And this wasn't noticed for such a long time...

RPMFusion: http://rpmfusion.org/RPM%20Fusion?action=recall&rev=194

They locked the pages after several months (locking process itself is a 5 minute work by the way), not without the need for me to poke them, and they still didn't move to HTTPS...

https://software.opensuse.org/132/en - they have HTTPS, but only on software.opensuse.org, not on opensuse.org and it's not default. MD5 and GPG are over HTTP again, and no instructions.

Debian: https://www.debian.org/distrib/netinst - I couldn't find verification instructions for netinstall images, or any verification instructions at all. There are GPG signatures though.

Linux Mint: no HTTPS at all.

This is just crazy.

quidam

I am a member!

I am a translator!

Offline
Joined: 12/22/2004

> RPMFusion: http://rpmfusion.org/RPM%20Fusion?action=recall&rev=194
>
>They locked the pages after several months (locking process itself is a 5 minute work by the way), not without the need for me to poke them and they still didn't move to HTTPS...

So you vandalized their site over a problem you don't understand? You didn't gave them any useful idea (as they point out), or us. The only useful suggestion from this tread comes from Andrew (I signed the key, thanks for the hint).

"As Fedora is useless without RPM Fusion for most normal people who want to listen to MP3, or use their GPUs to full extent [...] So I can't recommend Fedora to anyone before the security of RPM Fusion is fixed."

And you don't recommend an almost free distribution unless the addition of extra non-free binaries (now those sure are safe!) can be done from a HTTPS server... Stay *OUT* of our wiki.

lamefun
Offline
Joined: 12/01/2014

> So you vandalized their site

I shouldn't have but I was too mad at the time.

> over a problem you don't understand?

What exactly don't I understand?.

* If there were no problems I wouldn't have been able to vandalize the main page at all. They allowed any newly registred user to edit the main page and the official downloads.

* They clearly don't have the manpower to constantly monitor the wiki for vandalism. My changes stayed for more than 6 hours, and were probably only reverted because they were so conspicious. If someone replaced the downloads with malicious packages without changing anything else, they could've stayed there for much longer.

* I agree that collaborative wikis are good. But the main, download and verification pages should still be locked. There isn't anything truly useful for a non-admin user to add there anyway.

* They have been defaced several times by spammers, but they still didn't lock the pages, and even openly admitted that it is intended this way. http://lists.rpmfusion.org/pipermail/rpmfusion-developers/2013-July/015359.html

> You didn't gave them any useful idea (as they point out), or us.

It should be very obvious what to do.

* The download page and the verification page are editable by any newly
registered user.

Then lock the pages.

* No HTTPS, so malicious packages can be inserted by a man in middle.

Then add HTTPS support.

> And you don't recommend an almost free distribution unless the addition of extra non-free binaries

I'm just being realistic here. A common user won't accept such an offer.

> (now those sure are safe!) can be done from a HTTPS

RPM Fusion hosts free software too. MP3 / H.264 decoders are free software, but they can't be used in US because of patents. It also hosts some software that doesn't meet Fedora strict quality standard, eg. VirtualBox.

> The only useful suggestion from this tread comes from Andrew (I signed the key, thanks for the hint).

That's good, but AFAIK this doesn't provide any additional security over MD5 over HTTPS to a common user who doesn't use Web of Trust.

Also, why is MD5 link? MD5 checksum can be embedded in the page itself and it'd be way shorter than the link to it.

andrew
Offline
Joined: 04/19/2012

lamefun wrote:
> Trisquel page is available over HTTPS, yet:
>
> The download itself is over plain HTTP, ie.

HTTPS can indeed be useful for verifying authenticity of a connection,
but GnuPG is probably more appropriate for verifying authenticity of a
file (and also more efficient).

> GPG:
> http(!)://cdimage.trisquel.info/trisquel-images/trisquel_7.0_amd64.iso.torrent.asc

I agree with you on this point: the torrent and GnuPG signature would
probably be best downloaded over HTTPS.

Last time I checked, the Trisquel archive key wasn't signed by anyone
which makes it difficult to use web of trust to verify the key.

> Also, there are no instructions on how to use them. Shouldn't a
> security-conscious free software distribution also try to teach
> their users how to keep themselves secure?

Yes, a wiki page would be a good idea.

Andrew

andrew
Offline
Joined: 04/19/2012

OK I've updated the wiki page hidden somewhere within the documentation for downloading Trisquel:
https://trisquel.info/en/wiki/download-trisquel

I have also added an issue to the bug tracker for adding new signatures to the signing key:
https://trisquel.info/en/issues/12998

Andrew

quidam

I am a member!

I am a translator!

Offline
Joined: 12/22/2004

Please, don't spread unfounded fear.

> Trisquel page is available over HTTPS, yet The download itself is over plain HTTP

Like any other download server, with reason. HTTPS is implemented to the data transferred from and to a web server, which for a public software repository is not needed nor recommend, and it does not provide file verification anyway.

> MD5 is completely useless if you don't get it from a trusted source.

The MD5 file is GPG signed.

> GPG signature is only useful if you have already gotten the public key to verify it against, again from a trusted source.

We sign our sources, binaries, images and repositories with a GPG key that is publicly accessible, e.g. in each of our mirrors. I just signed the key myself as a way to make it easier to validate.

lamefun
Offline
Joined: 12/01/2014

> The MD5 file is GPG signed.

Why not just sign the ISO itself then?

> a GPG key that is publicly accessible

Yet the download page didn't provide a link to it until now.

Also, there should be a verification instruction.

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

https://tails.boum.org/download/index.en.html

This is how tails handles this. Both signature and torrent file are https. Also the documentation for verifying the iso is very clear..

Lets copycat!!