Introducing the new SSLed, signing, dancing wiki server!

1230 views
Skip to first unread message

Joanna Rutkowska

unread,
Jul 16, 2014, 8:54:26 AM7/16/14
to qubes...@googlegroups.com, qubes...@googlegroups.com
So, after 4+ years of using a plain http-based wiki, we have moved today
to a new, properly SSLed wiki server! It uses an SSL cert signed by a
StartSSL CA.

Even though the cert is signed by a 3rd-party CA, they haven't got
access to our private key -- they just signed our public key, I
generated in one of my many VMs.

However, the cert's private key is stored on the wiki server and is
accessible to anyone who:

1) Can compromise the server and gain root or kernel access there,

OR

2) To Amazon admins who can always read our VM server's memory (this is
always possible and requires no exploitable bug of any sorts).

In other words, always assume the bad guys/gov have compromised this
cert and/or the wiki server itself.

Also note that Qubes OS installation ISOs are *not* served from our wiki
server -- they are distributed via sf.net[*] and we have absolutely no
control over what happens with them on sf.net serves (either due to
their admins or attackers modifying them). Thus:

ALWAYS CHECK DIGITAL SIGNATURES ON DOWNLOADED ISO!

ALWAYS TRY TO OBTAIN QUBES MASTER KEY FINGERPRINTS FROM DIFFERENT SOURCES!

Also note that our git repos are also not served from our wiki server
either. Our git/gitweb server does not use SSL, however all the repos
use digital signing to assure code authenticity and integrity. Our
qubes-builder automatically attempts to verify these signatures on every
pull. This provides a significantly higher security than any SSL server
could provide, because the signatures are made on developer's computers
(in dedicated devel VMs), so the private keys are not stored on any 3rd
party server.

The same applies to updates for Qubes OS which are distributed as signed
rpm packages (also from non-SSLed server, whose security is irrelevant
thus).

So, there are few security benefits with this new SSLed server, but at
least it now Looks Nice (TM). Also it now provides for a somehow more
reliable way to get the Qubes Master Singing Key fingerprints (but not
much more reliable because of the lack of control over the server as
explained above).

However, the absolutely jaw-dropping new feature is HTML-based user
authentication and registration. No longer will we need to manually
update htpasswd via ssh whenever new wiki user is to be registered.
Today the users can register themselves via a Web form!

Of course, conservative as we are, we still don't allow just anybody to
register a usable account on Qubes Wiki. For this reason we have removed
the Registration link from the wiki. Of course people can still type in
the registration URL (which I even copy below) and register, but their
accounts won't get approved by us. So, in other words, please don't.

Please who used to have accounts on the old wiki server, are requested
to register using this link:

https://wiki.qubes-os.org/register

Please use the same username as on the old wiki and also please use the
same email address as the one you use to post on our mailing lists and
to which you once got invitation for wiki access. (Yes, I know,
authenticating people via ability to send and respond from a specific
email address is not a very strong one, so to say, but then again, it
should be good enough for our wiki, which is, as explained above, not
very security critical...).

The new wiki is available under the same URL, although https is now
enforced (if you access via old http:// paths those should be
automatically redirected to https://-ed ones).

https://wiki.qubes-os.org/wiki

You might need to wait for the DNS caches to update.

Cheers,
joanna.

[*] Arguably, while it might provide some security benefit to also serve
installation ISO from our now-properly-SSLed wiki server instead of from
sf.net, especially to the proverbial grandparents, we can't afford to
host it on our rented serves because of the high bandwidth costs, which
might easily go into thousands of $ per month.

signature.asc

Joanna Rutkowska

unread,
Jul 16, 2014, 9:04:40 AM7/16/14
to qubes...@googlegroups.com, qubes...@googlegroups.com
Ok, and to be fair -- some security advanatges of having this new SSLed
server:

1) Attacks subverting the content of the wiki on the fly (MitM), while
it is served to the reader, e.g. in Starbucks over insecure wifi, should
now be hard.

2) Even if an attcker gets access to the private SSL key, they might
still be cought while using this stolen key to serve the wiki content.
This is especially true to people accessing the wiki over tor (trageted
attacks would be difficult then).

In practice, the most severe attacks on the wiki content would be those
replacing the real Qubes Master Key fingerprint with a fake one, as e.g.
given on this page:

https://wiki.qubes-os.org/wiki/VerifyingSignatures

Of course it's also thinkable that the attacker could inject some
offending instructions and convience the user to execute them, e.g. in
order to fix some innocent technical problem with Qubes OS (e.g. broken
sound virtualization).

Unfortunately in order to allow potential attackes to get cought when
using stolen Qubes cert or session key even (and serving fake content)
some form of monitoring infrastrucutre would need to be established.

joanna.

signature.asc

Joanna Rutkowska

unread,
Jul 16, 2014, 9:08:54 AM7/16/14
to qubes...@googlegroups.com, qubes...@googlegroups.com
Oh, and FWIW (in case you don't believe the CA chain):

[user@work-admin qubes-wiki]$ openssl x509 -in
wiki.qubes-os.org-cert.pem -noout -fingerprint
SHA1 Fingerprint=84:AC:9F:01:D2:B7:83:C6:2C:6C:49:79:70:CF:29:74:4C:24:AB:DA

joanna.

signature.asc

Joonas Lehtonen

unread,
Jul 16, 2014, 1:07:11 PM7/16/14
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

> The new wiki is available under the same URL, although https is
> now enforced

I would suggest to make use of HSTS header.
https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
https://bettercrypto.org/static/applied-crypto-hardening.pdf

> (if you access via old http:// paths those should be automatically
> redirected to https://-ed ones).

You probably want to do that only on domains/vhosts for which you
actually have a valid certificate.

Your current config generates a certificate warning
because you redirect users from
http://www.qubes-os.org -> https://www.qubes-os.org

instead of
http://www.qubes-os.org -> https://qubes-os.org
or
http://www.qubes-os.org -> http://wiki.qubes-os.org


-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJTxrEgAAoJEG58zmw5nc+viWgQANqAUqeenQubjNQpcobYlDaA
ouoJsYyVEjev6gJhZM7VOIvwI6tsaL8N3x+grt7nnRRnVM8Ijnfwcjo7xUr7zdbC
ysYKfKUx5NRD+BoefES8DtuQF/+JASEXOuxptg2vxhuAMh/51d6e5/PvLXLQzwJq
6dIoZoA2kzY/2h7CMKHm5/3yqyOHbGQDnWuY8iUgktpcCqAhq8EEUnXs0MBWTNz5
kI4nJ1n7W2viUapME4YzzgnrawFFrLlIEzosvTpCVvAV3ZeUIF4s4cSxHtSF5/7Z
fGqLVOY1BlCnu0cs1+O24zKs3UnoVN59/aV09lEorVI0Eh3OCYridj3/4mpC57on
de8huK0QXjqgJGw2FEgnDP4wKpfaFgmUeGaSREK8pPdBpIRUWYtPuqnvN8vFJ5Sv
26UP96D5B2a46tLS5oUDJ1e80MLsl14UjSr0buZQ0pPDTWENSIc0MOtrBgFVvFGd
8YlZFnEYqFxeLIQP+treMuMVeA1eBXqaTMz2D1TziIfBKwgGgv72EJcXUZE+JZMG
lIvBlZEk/DNdDN/lSsynnE4VsxszGMedBPbaWQCgLvphui5pZmGj9QJA9tmcrnb2
uZ7MHJ22+y+XDqPI3VabVsvaShx2APUsxYqkKY/9Jeki1fMfdIvaiM8NvA485GBj
y3DBD2Fpi9MO5sXoRYb8
=NrXs
-----END PGP SIGNATURE-----

Joonas Lehtonen

unread,
Jul 16, 2014, 1:09:05 PM7/16/14
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

should be:
http://www.qubes-os.org -> https://wiki.qubes-os.org


-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJTxrGcAAoJEG58zmw5nc+vvUsP/29YDZNv0z3ZYu8EQDQ+EAFD
TgvcnqPG9zkh3O2W0aMXsOHv6c8lfuyHLYekoMLrCT9MJ6ZnG5XXyhHEjeVaq0++
yyANRQM0TM14d9tVGhmJSrsISrsh0lGfWfxtfJjdLRvUsgq9ZMoxyZuXxTLhu/ti
EjJeuINnIoX5nZvFqejkBkyUspXN9McGpLutAF4AOP/Cebhrrc6dnUkPHm5eS0cl
hfoo+6YK9tG8ihvB1j3XSvgTnpe1hM2pfri3v45rTFT7uC/8ITANAbthxfLygRcE
bhEWAbSQD1B7nY5dZOa+dsKPZOImWLJlYWqkb8GYpRmk3IaO+u9Rr0Akxi6cXewT
b3MNKrIfq4LyI7ck4mbOK10Df798bdZhdVKa/fMKVOW2PQTe9utJFwv1PKc5HNc1
ev28e44OxEmui/bUeCV4qwlpcEvqr82O4e25InmpxyEMbPci75nmOHkPJAoydAse
VgwU5aP4hijzbb1xyKSrWNsSnUbGbJwjpIbxIQG9RajCObKHx9d8BUWdPEQMxEQU
2VnEkoF83R/ZB2/k+kVua2ngN3ZGtT72GAJJyv5xATEnJuaaTmXzBRpnwwynXvfA
6JXsRTmaEwCSUP2DKqDgFUXYP4sfdNLpnGIDOPkA/xTlmhNXgwiC5neickKtzgFw
qjwXFlxZDJ/DqJ/SbzSJ
=IZiZ
-----END PGP SIGNATURE-----

J.M. Porup

unread,
Jul 16, 2014, 1:42:59 PM7/16/14
to qubes...@googlegroups.com
Could the wiki User Guides be turned into man pages or the like for
distribution as part of Qubes?

>
> Unfortunately in order to allow potential attackes to get cought when
> using stolen Qubes cert or session key even (and serving fake content)
> some form of monitoring infrastrucutre would need to be established.
>
> joanna.
>
> Email had 1 attachment:
> + signature.asc
> 1k (application/pgp-signature)

Marek Marczykowski-Górecki

unread,
Jul 16, 2014, 3:56:13 PM7/16/14
to Joonas Lehtonen, qubes...@googlegroups.com
On 16.07.2014 19:08, Joonas Lehtonen wrote:
>> instead of http://www.qubes-os.org -> https://qubes-os.org or
>> http://www.qubes-os.org -> http://wiki.qubes-os.org
> should be:
> http://www.qubes-os.org -> https://wiki.qubes-os.org

Fixed, thanks.

--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

signature.asc

Marek Marczykowski-Górecki

unread,
Jul 16, 2014, 3:59:47 PM7/16/14
to J.M. Porup, qubes...@googlegroups.com
There are man pages for qvm-* tools. This is exactly the same as:
https://wiki.qubes-os.org/wiki/DomZeroTools
signature.asc

J.M. Porup

unread,
Jul 16, 2014, 6:16:20 PM7/16/14
to qubes...@googlegroups.com
I was thinking more like this:

https://wiki.qubes-os.org/wiki/UserDoc

JMP

Joonas Lehtonen

unread,
Jul 17, 2014, 6:36:12 AM7/17/14
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

> There are man pages for qvm-* tools.

Which package does one have to install to get them?

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJTx6cNAAoJEG58zmw5nc+vyhYQANjhUIDobKE2sPU+sakiCBLz
Vo3jEDnBuffWzYVf7dIlZH5QMdQrgZwBXzQFfvF6wQgXQKAkeOI1MHQDriUhQo/D
x8y5ALkJZgJsOgynOjEADY1LB7LkVxMrfKC2PQQiyDayB/HNSU7xsXjr38hmuA4h
p1xJZnjvYxi12VxgdR4Z+4Ohj0NX+fOzsGq5e6jFeIRajIxH6EAUKqv3EKPIno9e
Pr1iLjED3MDBSW9VQv3AdiC78mnT0ZGG/xKMGGZdWZzBWS7ZRi1QCxFpNprzurUo
AnOntpSvEAoCkRcdkJonvSU2FHehYKp9jUA1wPm+S8oT4DeLHL+OT4+dUQ4lm/U9
3rWujHtGtcJLBVPhzucCa8jjOXKMbf+yB39nJUY1gbnfLXX9+IkNTRVlGTUFVsXU
6Iwvc6tXkpOvjhEXM9LKumro2pq4yVghT+xjgTZlDKjgf+/sodFx05ZiQDP6Gr12
awDRP6WipBrF4IHjwosOY3/m3nIWqH++mO7oo6HQYx1JOly1fYRecboIEKLXMsDt
AEQKv+c6XahT9OU5+qB7nKIO5cLfgVdw86J4LfLfpqFX3LiENbO831iOACg9XAA/
JJaHLD4oLcwUTrzFOcYI+Vm+5dOv7/xOavaLYTHoT/CFCCVi7Af8dgL2gk7CHV/S
AS594JwRF/A5Whh3EffZ
=mdHe
-----END PGP SIGNATURE-----

Marek Marczykowski-Górecki

unread,
Jul 17, 2014, 6:39:16 AM7/17/14
to Joonas Lehtonen, qubes...@googlegroups.com
On 17.07.2014 12:35, Joonas Lehtonen wrote:
>> There are man pages for qvm-* tools.
>
> Which package does one have to install to get them?

qubes-core-dom0-doc, it should be installed by default.
signature.asc

Ted Brenner

unread,
Jul 18, 2014, 12:37:43 PM7/18/14
to Marek Marczykowski-Górecki, Joonas Lehtonen, qubes...@googlegroups.com
I just installed Qubes and I don't seem to have qubes-core-dom0-doc. Or any man pages. I downloaded the ISO probably a week ago.
--
Sent from my Desktop

Axon

unread,
Mar 7, 2015, 11:25:33 PM3/7/15
to Marek Marczykowski-Górecki, Joonas Lehtonen, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Marek Marczykowski-Górecki wrote:
> On 17.07.2014 12:35, Joonas Lehtonen wrote:
>>> There are man pages for qvm-* tools.
>>
>> Which package does one have to install to get them?
>
> qubes-core-dom0-doc, it should be installed by default.
>

On my fully updated system, I have man pages for all of the usual
Linux commands, but none for qvm-* commands and no doc package:

[axon@dom0 ~]$ man qvm-start
No manual entry for qvm-start
[axon@dom0 ~]$ man qvm-run
No manual entry for qvm-run
[axon@dom0 ~]$ man qvm-backup
No manual entry for qvm-backup
[axon@dom0 ~]$ sudo yum info qubes-core-dom0-doc
Error: No matching Packages to list

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJU+88aAAoJEJh4Btx1RPV8MnAQAIUerDXvcqo3DwhVamOuLkie
W4aBAh7C986xZePBhcTW3QPvNW601cixjqe8pkEPw4MMtV24t6YGsNZ6T3ISAe3I
6gaLfOby90MyNx+rM4yiIsO/dXD9fv91g/UXsLNkiH/l9RBLcu5D/tgXcCFsP+7C
zkRL1ROb8IbPoWUmA5v/qvJzYwe07fMai3VyqQ9jjxCpLvL7FAm2j/THfpht8dYR
ztfpA9VAKsWVGVn1bCkYonve5qmu27AjhKIOjuimNiS27LxjwAPpM6evs5oQG1PB
7iLDY63igftw1kNLNvdK3Yp65DNAki0nH7c9SCjhtpTCZpWbQ/SRLf0rDMzvlehN
E624P4HbVOOz9Ui0728Y3KCnz4ra8oQyKUHafpjWeh6y78kdVOFB3rzabM3eRFbl
BKs3rtmYfE78g2mVAPnzmEtRyUO0M96M2sYzkAoKMOALC8K6yMpyApBIOpRwBzCa
HjKC+7gc8Kzveb49vIcWYhtaRRr0IOMO0M2OSX/6jkxzgsQK2rnlu723ywuSQ59s
trpJ24HiLgGijphhSCuwf5qxA3sRo9R8QUnTSE3k5pyFG6Y0WV/xMCQN4WJvIPya
odfimi5XMudD4Rb+4o7O3mX/903wpRdYMlL17tXils69b2Y33IkTZEhvJyYk4tU6
M27+gE1RKZXu5Qqd5KCe
=QSKr
-----END PGP SIGNATURE-----

David Hobach

unread,
Mar 8, 2015, 5:37:55 AM3/8/15
to Axon, Marek Marczykowski-Górecki, Joonas Lehtonen, qubes...@googlegroups.com


On 08.03.2015 05:25, Axon wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Marek Marczykowski-Górecki wrote:
>> On 17.07.2014 12:35, Joonas Lehtonen wrote:
>>>> There are man pages for qvm-* tools.
>>>
>>> Which package does one have to install to get them?
>>
>> qubes-core-dom0-doc, it should be installed by default.
>>
>
> On my fully updated system, I have man pages for all of the usual
> Linux commands, but none for qvm-* commands and no doc package:
>
> [axon@dom0 ~]$ man qvm-start
> No manual entry for qvm-start
> [axon@dom0 ~]$ man qvm-run
> No manual entry for qvm-run
> [axon@dom0 ~]$ man qvm-backup
> No manual entry for qvm-backup
> [axon@dom0 ~]$ sudo yum info qubes-core-dom0-doc
> Error: No matching Packages to list

Same here.

Joonas Lehtonen

unread,
Mar 8, 2015, 5:47:52 AM3/8/15
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

> Marek Marczykowski-Górecki wrote:
>> On 17.07.2014 12:35, Joonas Lehtonen wrote:
>>>> There are man pages for qvm-* tools.
>>>
>>> Which package does one have to install to get them?
>
>> qubes-core-dom0-doc, it should be installed by default.
>
>
> On my fully updated system, I have man pages for all of the usual
> Linux commands, but none for qvm-* commands and no doc package

what does
sudo qubes-dom0-update install qubes-core-dom0-doc
say?


btw: I still find it irritating that the program package doesn't
include the manpages.
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJU/BqzAAoJENGIB/ssoMC2oVwQAIQ6ZP397YNImFXKFIjH+AH0
yVaPwzA7a/ZJQsB3rXbfdZcj1SsYEHqrlkr7zq6PUoXtO0Bx/Wej+Qoxef90MOa/
gFxM+QiFhzJrq6QCHyXxwVZ/fX656iq7ogs93o1ljy4rkUKMkWMq5qdTQFCJjc3K
jjmxOMOTlRb1vVcc8q8t+OZa9gZRIcgtvdmtgCuNpSrQCLryPU4NyDcgEDntbF32
V5iB4aBWplLVqt/WIeoQ+SH7T40uhRdIBlBc252VXBll4TsH3G+9edHH8CJQA18x
5eF+99d+OQ+r+dHWUPpCE8ZU/gJ496T3izKjQDQI2V53g37sHzxUeLvDKaDVO63H
iMnsQ+eEoA8WhDXA14C+85GvqulFw3wFNxdfvzLACF9eSfPN6OYqJIxXjdQJdJZb
oXcQBPh2Sz86BbA6jXGyLobG1K28dWghQalHWfeby7d6h3LFiPWXPHALL3QSESqI
uejCQBJ+3ys32q9H7NCt7C7TRlA3mRHtL9R2mz4tveHwXzSgAPCJEdV1dFa8MnVo
hYwu0gDjcvQUeruo6/5FZB6t7WM3A4P6h3iwCknwjqIRq53c8CUy4mc98BtEVSNQ
Zrxn++aC6tjP8sSsmeqKHX/VSAkIuZswhqVU112+QH/oIAUIRMexA5mISaVYOc86
EBMwv97wz05E6q7DZW4y
=whXx
-----END PGP SIGNATURE-----

Joonas Lehtonen

unread,
Mar 8, 2015, 5:49:34 AM3/8/15
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512



Joonas Lehtonen:
>> Marek Marczykowski-Górecki wrote:
>>> On 17.07.2014 12:35, Joonas Lehtonen wrote:
>>>>> There are man pages for qvm-* tools.
>>>>
>>>> Which package does one have to install to get them?
>
>>> qubes-core-dom0-doc, it should be installed by default.
>
>
>> On my fully updated system, I have man pages for all of the usual
>> Linux commands, but none for qvm-* commands and no doc package
>
> what does sudo qubes-dom0-update install qubes-core-dom0-doc say?

remove 'install' from that line ;)
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJU/BsmAAoJENGIB/ssoMC2UXsP/iAJiKRLVc6PiLnXYPmAHvm2
lhzMRddT4ZtIsaH3dzLFVTGM72ctNH9EVM998rMg5dHnvrYJFgnw7Azx/5sKSwiL
VP2FMt78bwrr/XPhLDwwpaE84QK0TnnS72HGkwrjyO6e83/qk47/p62cqmh+1bk6
cYgWgvEz+gSuflYU5pwH/e5yCU+cREGwmNla5spJnXXdsv3R06VkK5tCnVOWRD9g
kpZb5nmw9OSrFKN2KhjeD7oBlCfng5Rd7G/wwhGYTaBlo42QelIKXXRZgD1T2bZh
qnDjEv7ju49v14NxrlrVwZcRGjIS5+TAA0eEZ5L2Cj6ztXfNKo/h5oVWDsPhJ04C
D7ddBlACTJtg6BIPxZV52zfo42E4hiUrzuRn6/NNa6gKBPeoY9ybDAh+U8acilL6
0SjhrDCSkAgYXN9pooRiwVMK20zSoKAPrLQ+pcISnrLXkXW8fGeamL/mUW0QLW9W
IG9Ie0xjaIC4EcqM/GKdAAn1DqayTq119HB5n6jVCAJrtJVReyIJmzJfJ0rAW19E
svQfE5tElEer1AfKqGgcD85gqVErz9DkekMN2ZLHqeGi18S5egAVzOtoM/hvXF9R
Cj1c5kuCUBYQL6M6Ep78Ox0nlbk5i068F+QJ2pP6ZTpHRYDdZI4CR2wxAlg+ElFo
uPU6+5eeW63UV+8RxXBM
=c1Ts
-----END PGP SIGNATURE-----

David Hobach

unread,
Mar 9, 2015, 1:24:13 PM3/9/15
to Joonas Lehtonen, qubes...@googlegroups.com


On 08.03.2015 10:49, Joonas Lehtonen wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
>
>
> Joonas Lehtonen:
>>> Marek Marczykowski-Górecki wrote:
>>>> On 17.07.2014 12:35, Joonas Lehtonen wrote:
>>>>>> There are man pages for qvm-* tools.
>>>>>
>>>>> Which package does one have to install to get them?
>>
>>>> qubes-core-dom0-doc, it should be installed by default.
>>
>>
>>> On my fully updated system, I have man pages for all of the usual
>>> Linux commands, but none for qvm-* commands and no doc package
>>
>> what does sudo qubes-dom0-update install qubes-core-dom0-doc say?
>
> remove 'install' from that line ;)

Computer says yes. ^^
Thanks.

Reply all
Reply to author
Forward
0 new messages