On 05/15/2015 02:49 PM, Matthew Miller wrote:> On Fri, May 15, 2015 at 03:44:39PM -0400, James B. Byrne wrote: >> What are the plans for the CentOS repos with respect to authentication >> and https everywhere? At the moment it is a trivial exercise to >> perform a MTM attack during a yum update over http. > > Since the packages themselves are signed, what risk are you concerned > about? >Not only are the packages signed, but we're now offering signed repository metadata as well. HTTPS is an incremental improvement, but is by no means a silver bullet. Look at the superfish fiasco if anyone thinks otherwise. The other side to this is many people update from outside .centos.org. Who's cert would you use for mirrors.kernel.org/centos/7/os/x86_64/ for example? -- Jim Perrin The CentOS Project | http://www.centos.org twitter: @BitIntegrity | GPG Key: FA09AD77
On 16/05/15 08:36, Jim Perrin wrote:> > > On 05/15/2015 02:49 PM, Matthew Miller wrote: >> On Fri, May 15, 2015 at 03:44:39PM -0400, James B. Byrne wrote: >>> What are the plans for the CentOS repos with respect to authentication >>> and https everywhere? At the moment it is a trivial exercise to >>> perform a MTM attack during a yum update over http. >> >> Since the packages themselves are signed, what risk are you concerned >> about? >> > > Not only are the packages signed, but we're now offering signed > repository metadata as well. > > HTTPS is an incremental improvement, but is by no means a silver bullet. > Look at the superfish fiasco if anyone thinks otherwise. > > The other side to this is many people update from outside .centos.org. > Who's cert would you use for mirrors.kernel.org/centos/7/os/x86_64/ for > example?Agreed, MITM isn't a great problem as the packages are signed. People monitoring your connection know what you've updated, and what you haven't, thus knowing what you may be vulnerable to, is a problem. But quite arguably not a great as problem as a MITM attack. Pete.
On 05/16/2015 04:18 PM, Peter Lawler wrote:> People monitoring your connection know what you've updated, and what you > haven't, thus knowing what you may be vulnerable to, is a problem.If I'm monitoring your https connection: I know the list of mirrors. That's public information. I know when updates are released. That's also public. I know when you last connected, so I can probably reason what you haven't updated. If I track the amount of data you download, I can probably tell if you skip an update, as well. https doesn't improve your privacy in this application.