Curious: https for yum repos
77 views
Skip to first unread message
InfusingPrivacy
Mar 14, 2017, 12:03:32 AM3/14/17
to qubes-users
As part of my exploration of Qubes, I took a look inside yum.repos.d and I noticed that there were quite a few repos that used http. Most are default fedora repos, but some are Qubes repos, which raised a question of curiosity (primarily for discussion):
Would it be helpful if certain Qubes repos used HTTPS? Why or why not?
I'm not going to claim to know all of the details and I don't wish to dictate what Qubes devs should do, but I guess my question is more of the tone: (if it helps and if it is not much of a hassle, why not? HTTPS should be more secure than HTTP)
My only guess as to why not would be: the GPG keys are sufficient?
Chris Laprise
Mar 14, 2017, 12:39:09 AM3/14/17
to InfusingPrivacy, qubes-users
which software packages you are using
Qubes developers are already preparing to do most distribution over Tor
services, which makes HTTPS somewhat moot.
--
Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
cubit
Mar 14, 2017, 5:19:42 PM3/14/17
to Chris Laprise, InfusingPrivacy, qubes-users
14. Mar 2017 04:39 by tas...@openmailbox.org:
GPG is sufficient for verification, although using HTTPS would conceal which software packages you are using
GPG does not protect against a MITM downgrade attack to a validly signed but older vulnerable version of a piece of software
Chris Laprise
Mar 14, 2017, 7:42:09 PM3/14/17
to cubit, InfusingPrivacy, qubes-users
> <mailto:tas...@openmailbox.org>:
It does in a way, if your distro signs a master 'repo' file that is
timestamped. Then you can confidently display the date/time or
"freshness" of the data to the user. Also, it limits the attacker to
holding back the *entire* repository (assuming the user doesn't notice
the old date).
This is common and should work because its fairly easy to encounter news
about updates out-of-band---plus, user will have expectations about
update frequency.
Fedora *unfortunately* is the blacksheep here. It doesn't sign a repo
file, therefore an attacker can hold back individual packages withing
what appears to the user as a stream of normal update cycles.
Note: Qubes project is interested in getting Debian into dom0. In the
meantime, its fairly easy to use Debian for templates.
timestamped. Then you can confidently display the date/time or
"freshness" of the data to the user. Also, it limits the attacker to
holding back the *entire* repository (assuming the user doesn't notice
the old date).
This is common and should work because its fairly easy to encounter news
about updates out-of-band---plus, user will have expectations about
update frequency.
Fedora *unfortunately* is the blacksheep here. It doesn't sign a repo
file, therefore an attacker can hold back individual packages withing
what appears to the user as a stream of normal update cycles.
Note: Qubes project is interested in getting Debian into dom0. In the
meantime, its fairly easy to use Debian for templates.
Andrew David Wong
Mar 14, 2017, 8:33:59 PM3/14/17
to Chris Laprise, cubit, InfusingPrivacy, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 2017-03-14 16:41, Chris Laprise wrote:
> On 03/14/2017 05:19 PM, cubit wrote:
>> 14. Mar 2017 04:39 by tas...@openmailbox.org
>> <mailto:tas...@openmailbox.org>:
>>
>> GPG is sufficient for verification, although using HTTPS would
>> conceal which software packages you are using
>>
>>
>> GPG does not protect against a MITM downgrade attack to a validly
>> signed but older vulnerable version of a piece of software
>>
>
> [...] Fedora *unfortunately* is the blacksheep here. It doesn't
single-click affair from the Qubes installer).
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYyIvgAAoJENtN07w5UDAwVDgQAJ7mtrxWQ6iLxOyMuMXhroKE
t+Nx48Fpcfy04oJx+huI/SmA/6DtE/yGyg6PTai9fA8TNauGNKwgeGLvei4VpUtW
dY8ymXTGVZAJWGdAfdDMs6/c0Lw0TzWulvezGkuPVlCimfay9nJ5O9BwFgB9YI58
WUPKAhCazFC6R5b+OoRqZzx2piMGfLQtX44X3VUj98zrpsyyIt3H7mgImXp+dL7i
WE31KX74S5jS+HfO4t4EaHwHh/1p9ezYL7pdMW7JkXCzsWT7hJd/lj6A53glBdmo
khUdimFpKXkuXpT81PccmW75fOGURjI+evPdEqV5BljZmux6L3LeU8Yakd+6zIxJ
MsP7T+hH+Js0c/pYpNscMBmbWKkt28+PcF89BztxKRz5Cr/Nn9fhYIdZuJZ3Rfnd
ZAWeYhISoWvtoM+Kqard2ijrWjss6oFBEedoDomJAk0jsL5krU/Xl80IUNOma09O
y/4H0knMiOpCdy2qwcfckAxx58MqVUOav/+0vVHlM0DD58bKTzYhH/14Luq4OcJa
SKZ0Q1EZ8KQxu4HHHIqdIbdoFSTBgNlQL8jd7dcTCYvnB1aErnP/PKuTl/Q7xdbP
HiBbD/ZtP163bx+RTY/d8Nr3V1pIEWT4Ml15S5M04a2bBxyGXWLROwKAyynlN4EU
Lu+ablbcKtArylVLNTle
=V+m9
-----END PGP SIGNATURE-----
Hash: SHA512
On 2017-03-14 16:41, Chris Laprise wrote:
> On 03/14/2017 05:19 PM, cubit wrote:
>> 14. Mar 2017 04:39 by tas...@openmailbox.org
>> <mailto:tas...@openmailbox.org>:
>>
>> GPG is sufficient for verification, although using HTTPS would
>> conceal which software packages you are using
>>
>>
>> GPG does not protect against a MITM downgrade attack to a validly
>> signed but older vulnerable version of a piece of software
>>
>
> sign a repo file, therefore an attacker can hold back individual
> packages withing what appears to the user as a stream of normal
> update cycles.
>
Downloading updates over Tor mitigates this risk (which is a
> packages withing what appears to the user as a stream of normal
> update cycles.
>
single-click affair from the Qubes installer).
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYyIvgAAoJENtN07w5UDAwVDgQAJ7mtrxWQ6iLxOyMuMXhroKE
t+Nx48Fpcfy04oJx+huI/SmA/6DtE/yGyg6PTai9fA8TNauGNKwgeGLvei4VpUtW
dY8ymXTGVZAJWGdAfdDMs6/c0Lw0TzWulvezGkuPVlCimfay9nJ5O9BwFgB9YI58
WUPKAhCazFC6R5b+OoRqZzx2piMGfLQtX44X3VUj98zrpsyyIt3H7mgImXp+dL7i
WE31KX74S5jS+HfO4t4EaHwHh/1p9ezYL7pdMW7JkXCzsWT7hJd/lj6A53glBdmo
khUdimFpKXkuXpT81PccmW75fOGURjI+evPdEqV5BljZmux6L3LeU8Yakd+6zIxJ
MsP7T+hH+Js0c/pYpNscMBmbWKkt28+PcF89BztxKRz5Cr/Nn9fhYIdZuJZ3Rfnd
ZAWeYhISoWvtoM+Kqard2ijrWjss6oFBEedoDomJAk0jsL5krU/Xl80IUNOma09O
y/4H0knMiOpCdy2qwcfckAxx58MqVUOav/+0vVHlM0DD58bKTzYhH/14Luq4OcJa
SKZ0Q1EZ8KQxu4HHHIqdIbdoFSTBgNlQL8jd7dcTCYvnB1aErnP/PKuTl/Q7xdbP
HiBbD/ZtP163bx+RTY/d8Nr3V1pIEWT4Ml15S5M04a2bBxyGXWLROwKAyynlN4EU
Lu+ablbcKtArylVLNTle
=V+m9
-----END PGP SIGNATURE-----
Unman
Mar 14, 2017, 9:00:47 PM3/14/17
to Chris Laprise, InfusingPrivacy, qubes-users
being installed is illusory in many cases, because the fingerprints can
be easily identified.
In the Qubes case, where the number of packages is relatively small, it
should be easy to identify which packages were being downloaded. The
very fact that that site is being accessed would probably be enough to
inform an eavesdropper of the likely packages.
The move to Tor does make this still more difficult, but again, the
correlation of a number of requests to what are relatively uncommon
sites may be enough to identify a Whonix or Qubes user. (I should say
that I don't know what is in the Whonix repos but the Qubes ones contain
relatively few packages.)
Andrew David Wong
Mar 14, 2017, 9:06:19 PM3/14/17
to Unman, Chris Laprise, InfusingPrivacy, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 2017-03-14 18:00, Unman wrote:
Hash: SHA512
> [...] The move to Tor does make this still more difficult, but
> again, the correlation of a number of requests to what are
> relatively uncommon sites may be enough to identify a Whonix or
> Qubes user. (I should say that I don't know what is in the Whonix
> repos but the Qubes ones contain relatively few packages.)
>
Downloading updates from Tor Onion Services helps here (but that part
> relatively uncommon sites may be enough to identify a Whonix or
> Qubes user. (I should say that I don't know what is in the Whonix
> repos but the Qubes ones contain relatively few packages.)
>
is, admittedly, not a single-click affair).
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
9IC34s9RKsAmSUMgcD8eCSWliyDFZ/JIsCS2e2TbwciVKmeg9WHvxASpAzDsK8JB
ccXkqMZw+pVkXAIoAaVqGMKvZYQIm1pRcPMzZJD+pBSgyzq+kYKH7nkmrp3EbTni
M/Ij2OKHKQTncvI6Ea9FlxlAsLROwcDaWfcIIKP0q8hqKZ0QT8uzT2OQ+UHnr65G
z4aFtomHv97rDCjiZCl3ODeOxNLnU2VZ2OsKOYh7+n9nnq7LfgAMJ4rYWW+Nrf5l
UnDL5lkYkQVZz2zgjuv8qOXkKjj5GosNUqaWQdsPtKBTWltNkz+bohU2cGJt2Eq9
AX8ql/wAEba2FOVEYCUoZHy6RUd/yeWq6PR7mqpDc3NsKFSQA4TAKpoQ/ZEMGhRT
TBe6MGeLZ4b8AjFg4RHlIuL0AhL2OvBifDLRhr8Ydk/HQZ2cPVvFzWAReouZqkDX
TyIO/jDU7hX4BAgZgxAD7JVjtu/r61r2shQSToMFPcAqe1DUUnFUanh3e3YkYL2U
xpcBtJsYVvICtrkoFP6ggpl1dobuMCSrXvnOb4xxQQSk54zAnD7rP1TG7L5oZZfa
xbMdICBncAYpUzxk20f/9Ctkr3F392KlSMals5fxzbLEAjy5UiGFwVruSU2BOIAy
IaUvNHRwjrRny+s6BcjH
=2oGG
-----END PGP SIGNATURE-----
haaber
Mar 15, 2017, 4:15:56 AM3/15/17
to qubes...@googlegroups.com
Chris,
> Fedora *unfortunately* is the blacksheep here. It doesn't sign a repo
> file, therefore an attacker can hold back individual packages withing
> what appears to the user as a stream of normal update cycles.
I read this as "fedora is less safe" since exposed to described
attacks. Actually I never used it in my prequbes life, and I would still
not if there were alternatives to fedora-minimal.
So: Is there a debian-minimal available? For normal and even advanced
users it is almost impossible slim down a std debian via uninstalling
unused packages without destroying the system : which of the (in large
parts cryptic) package names are vital?
Bernhard
> Fedora *unfortunately* is the blacksheep here. It doesn't sign a repo
> file, therefore an attacker can hold back individual packages withing
> what appears to the user as a stream of normal update cycles.
attacks. Actually I never used it in my prequbes life, and I would still
not if there were alternatives to fedora-minimal.
So: Is there a debian-minimal available? For normal and even advanced
users it is almost impossible slim down a std debian via uninstalling
unused packages without destroying the system : which of the (in large
parts cryptic) package names are vital?
Bernhard
Andrew David Wong
Mar 15, 2017, 6:39:20 PM3/15/17
to haaber, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hash: SHA512
On 2017-03-15 01:15, haaber wrote:
> Chris,
>
>> Fedora *unfortunately* is the blacksheep here. It doesn't sign a
>> repo file, therefore an attacker can hold back individual
>> packages withing what appears to the user as a stream of normal
>> update cycles.
>
> I read this as "fedora is less safe" since exposed to described
> attacks. Actually I never used it in my prequbes life, and I would
> still not if there were alternatives to fedora-minimal.
>
Not sure I would read it that way.
> Chris,
>
>> Fedora *unfortunately* is the blacksheep here. It doesn't sign a
>> repo file, therefore an attacker can hold back individual
>> packages withing what appears to the user as a stream of normal
>> update cycles.
>
> I read this as "fedora is less safe" since exposed to described
> attacks. Actually I never used it in my prequbes life, and I would
> still not if there were alternatives to fedora-minimal.
>
> So: Is there a debian-minimal available?
debian-minimal template has been created.
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
Kn6YIazddd1QdKaRNjpKb1/sVk+xLyC3UpMb0e7mjpDhhV4YHe3q24OO7dyau1T9
tyxObCKX7JTKneRjzM0gsyYZm7PBiNRPUl6QfCm6KPsP/GPnFygDAvAJXc2V5ZEh
+U4m5OxqnZnR7q7sq5VH91BIWCtyZ0mNV31Sx/gbRJtXhjMgst64kKge/dtceIzK
c/8dcxPj11sRH3q6L4JO6/BqOz4dBSdie7oHdnGNt8RHu/+y9Cl9elMwfUuBSxSJ
H/yQ29Ts2N1cLfwQYT03V+bGOQgP//moAWW6fwxzPpA53zfVDtQt2YwB1DKFlQoK
JYciBg6LgY1uA9bUD7+SLEDaBtb2GP2MWblWLDPY6GAuppCOMZQu7oiOSWH5QxQp
ZQ4rTuol2O2ERJu81Z9mpnQshzhIuvSwV5f9HR0AozNnU0ZCCjydqRVEbWmFUPpV
8ftB+dNjDvWdwA3VGv7Nw8bxcx81urjdM1Rj7H3Ta5UQTAzUgMFxNFnA1O98qNoc
T/MFlOR7S/PnJ4gzR/VWR1BG4KOtiCQxaUUO5rcuDrPbXVFI6NJ5zuuWusXH74Om
SXXXdofb/qR43D6UD5e3hi1AhD7KacbqUliW/YVaWOVuzvAKYybi5G+GeUHHQzUV
IUTSVy5q/HFthMiDyWYC
=R9PN
-----END PGP SIGNATURE-----
Unman
Mar 15, 2017, 9:39:13 PM3/15/17
to Andrew David Wong, haaber, qubes...@googlegroups.com
On Wed, Mar 15, 2017 at 03:39:04PM -0700, Andrew David Wong wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On 2017-03-15 01:15, haaber wrote:
> > Chris,
> >
> >> Fedora *unfortunately* is the blacksheep here. It doesn't sign a
> >> repo file, therefore an attacker can hold back individual
> >> packages withing what appears to the user as a stream of normal
> >> update cycles.
> >
> > I read this as "fedora is less safe" since exposed to described
> > attacks. Actually I never used it in my prequbes life, and I would
> > still not if there were alternatives to fedora-minimal.
> >
>
> Not sure I would read it that way.
>
> > So: Is there a debian-minimal available?
>
> The existing Debian template is already pretty minimal, so no
> debian-minimal template has been created.
>
There is a debian-minimal available for build, of course. And the build
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On 2017-03-15 01:15, haaber wrote:
> > Chris,
> >
> >> Fedora *unfortunately* is the blacksheep here. It doesn't sign a
> >> repo file, therefore an attacker can hold back individual
> >> packages withing what appears to the user as a stream of normal
> >> update cycles.
> >
> > I read this as "fedora is less safe" since exposed to described
> > attacks. Actually I never used it in my prequbes life, and I would
> > still not if there were alternatives to fedora-minimal.
> >
>
> Not sure I would read it that way.
>
> > So: Is there a debian-minimal available?
>
> The existing Debian template is already pretty minimal, so no
> debian-minimal template has been created.
>
is very straightforward.
Reply all
Reply to author
Forward
0 new messages