[prev in list] [next in list] [prev in thread] [next in thread] 

List:       opensuse-security
Subject:    Re: [opensuse-security] Why no SSL for download.opensuse.org ?
From:       "Carlos E. R." <robin.listas () telefonica ! net>
Date:       2013-07-07 20:25:37
Message-ID: alpine.LNX.2.00.1307072209040.6576 () Telcontar ! valinor
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Content-ID: <alpine.LNX.2.00.1307072224400.6576@Telcontar.valinor>


On Saturday, 2013-07-06 at 10:34 +0200, Malte Gell wrote:

> We have learned how much effort governments take to control and monitor
> the Internet. With this in regard, wouldn īt it make sense to switch
> download.opensuse.org to SSL? I know, rpm packages are signed with
> GnuPG, but if you add a new repo an attacker still is able to give you a
> forged GnuPG key and a forged repo, not the repo you actually tried to
> subscribe to. Thus, GnuPG signing of rpm does not prohibit man in the
> middle attacks. I think SSL for download.opensuse.org would give more
> safety to people living in authoritarian regimes who want to download
> openSUSE software.

Not practical.

Most of the downloads do not come from download.opensuse.org, but from 
mirrors all over the world. The certificate would apply to 
download.opensuse.org, whereas the actual download might be comming from 
anywhere (download.opensuse.org is a redirector); meaning they would not 
match and the connection would be invalidated.

To do this you would force all mirrors to provide ssl with the proper 
certificate (which costs money). Or opensuse.org would have to act as 
certification authority.

What you need instead is convincing openSUSE to apply a good security 
policy to the GnuPG signatures used.

For example, view this thread for more info: 
<http://forums.opensuse.org/showthread.php?t=469581>


or vote:

<https://features.opensuse.org/312047>
make repo keys available on project's web site via SSL

or more info:

<https://forums.opensuse.org/english/other-forums/community-fun/general-chit-chat/448550-new-signing-key-opensuse-11-3-contrib-trust-not-trust.html>
 <https://forums.opensuse.org/english/get-technical-help-here/install-boot-login/466970-new-repository-key-how-verify.html>


- -- 
Cheers,
        Carlos E. R.
        (from 12.3 x86_64 "Dartmouth" at Telcontar)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iEYEARECAAYFAlHZzskACgkQtTMYHG2NR9VRNACeOw5ObvpMLhceyeJKndzOKK5K
pDgAn1VSuAQxy0d77YKqoxxxcPheLXOv
=j7Rm
-----END PGP SIGNATURE-----


-- 
To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org
To contact the owner, e-mail: opensuse-security+owner@opensuse.org


[prev in list] [next in list] [prev in thread] [next in thread]