Important APT security update - please read the instructions to upgrade APT safely debian.org/security/2019/dsa-4

@debian Ouch. I wondered why Debian wasn't using HTTPS. Any plans to do so now, in the light of this vulnerability?

@wizzwizz4 Debian already supports https. But TLS certificates depends on CAs, and most on them aren't trustworthy. Unless you use DANE/HPKP, don't expect https to *prevent* MITM attacks.

packages.debian.org/en/stretch

@debian

@devnull Fair point. However, loads of CAs are trusted by default for _everything else_, and it's better to pile on extra layers so an attacker will need to break _all_ of them.

@wizzwizz4 That's a huge problem. CAs shouldn't be trusted, because they don't give a crap about security. They're only for profit.

More software need to support DANE, more admins need to learn how to configure DANE and HPKP properly.

@devnull

1. Let's Encrypt.
2. It helps to prevent attackers from easily utilising a vulnerability in one layer of mitigation.

Yeah, it's not perfect. But yes, it's better than nothing. HTTPS + DANE is better than HTTPS + CAs, but HTTPS + DANE + CAs is even better. And @debian doesn't have DANE yet, anyway!

@wizzwizz4 @devnull @debian

As the goal is to trust debian, is it possible for debian to supply the needed certificate rather than let's encrypt?

@RussSharek @devnull That's what self-signing the certificate is, basically. It doesn't promise that the certificate is actually Debian's certificate, because you…

Oh, I see what you're saying. Debian is the CA, and bundles its own signature with Debian? Ehh… not sure how much security nuts would appreciate that. I certainly wouldn't appreciate the software distributor having the technical means to transparently intercept all of my traffic. But it's certainly a possible solution.

@wizzwizz4 > It doesn't promise that the certificate is actually Debian's certificate

CAs don't, they deliver forged certs to malicious third parties, either for profit (see what micro$oft did with ie certificates in Tunisia (and NOT only in Tunisia) years ago, with the help from malicious CA, to help the government to spy on people), or by mistake (even Let's Encrypt has been abused)

HPKP does, a certificate can't be valid if it hasn't been signed by the pinned keys.

@RussSharek

@wizzwizz4 And the only persons that can pin a key are either the admins of the server you're trusting, or someone who succeeded to compromise the server and gain root access (or at least some privileged user), in which case you're screwed whether the certificate is CA-signed or not.

@RussSharek

@wizzwizz4 > I certainly wouldn't appreciate the software distributor having the technical means to transparently intercept all of my traffic.

Not all traffic… just apt using a Debian CA, so it won't have to trust another CA/third party (The less entities you need to trust, the better. Less likely to be screwed over) . They wouldn't need to be a CA if they wanted to intercept your traffic, as you run code written by Debian, and third party software build and packaged ba Debian…

@RussSharek

@devnull

Yeah, it comes down to a question of whether or not you trust Debian not to be evil.

@wizzwizz4

Follow

@RussSharek Yeah, but if you don't, don't use Debian or any derivative, or any derivative of derivative… and so on. So you wouldn't by concerned about that all.

If you use Debian, then by definition you do trust Debian, unless you're drunk or high when you install anld use your OS(es) (or really stupid)

@wizzwizz4

@devnull

I was just thinking about the massive chain of trust that is the Debian lineage as a whole.

@wizzwizz4

@devnull @wizzwizz4

I'm also thinking "In Debian we trust, but we still review the damn code." ought to be a mission statement.

@RussSharek Agreed

(Now, I want money to have a Debian logo and "In Debian we trust, but we still review the damn code." written on it 😂 )

@wizzwizz4

@devnull my IT manager always says « Trust doesn't exclude control » @RussSharek @wizzwizz4

@RussSharek Indeed. Just like any other OS (or even other software like clients for proprietary communication protocols with their own CA stores, firewall bypassing mechanisms (see skype)…). So being a CA for it's own repos is far less risky than many commonly accepted practices (For example using "apps" for centralized and proprietary online services, where the service provide controls the client code as well. Or using google and gmail and try to block web trackers "for privacy")

@wizzwizz4

Sign in to participate in the conversation
La Quadrature du Net - Mastodon - Media Fédéré

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!