What are the plans for the CentOS repos with respect to authentication
and https everywhere? At the moment it is a trivial exercise to
perform a MTM attack during a yum update over http.
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
On Fri, May 15, 2015 at 03:44:39PM -0400, James B. Byrne wrote:> What are the plans for the CentOS repos with respect to authentication > and https everywhere? At the moment it is a trivial exercise to > perform a MTM attack during a yum update over http.Since the packages themselves are signed, what risk are you concerned about? -- Matthew Miller <mattdm at fedoraproject.org> Fedora Project Leader
On 05/15/2015 02:49 PM, Matthew Miller wrote:> On Fri, May 15, 2015 at 03:44:39PM -0400, James B. Byrne wrote: >> What are the plans for the CentOS repos with respect to authentication >> and https everywhere? At the moment it is a trivial exercise to >> perform a MTM attack during a yum update over http. > > Since the packages themselves are signed, what risk are you concerned > about? >Not only are the packages signed, but we're now offering signed repository metadata as well. HTTPS is an incremental improvement, but is by no means a silver bullet. Look at the superfish fiasco if anyone thinks otherwise. The other side to this is many people update from outside .centos.org. Who's cert would you use for mirrors.kernel.org/centos/7/os/x86_64/ for example? -- Jim Perrin The CentOS Project | http://www.centos.org twitter: @BitIntegrity | GPG Key: FA09AD77