oss-sec mailing list archives
Re: CVE for Kali Linux
From: Solar Designer <solar () openwall com>
Date: Sun, 22 Mar 2015 20:23:00 +0300
On Sun, Mar 22, 2015 at 12:54:57PM -0400, David A. Wheeler wrote:
On 2015-02-26 I reported to Cygwin that they had a similar man-in-the-middle issue. The Cygwin package manager (which downloaded all other packages) was unprotected and downloaded using http (as http://cygwin.com/setup-x86.exe or http://cygwin.com/setup-x86_64.exe). They changed it to load with HTTPS, and later added HTTP Strict Transport Security (HSTS).
IMO, http vs. https is a red herring. We shouldn't be focusing on security of software downloads, but rather on authenticity of the software. If the distribution web server gets compromised, https doesn't help. Thus, GPG signatures and the like. I find it ridiculous if we primarily complain that some site serves downloads over http, and I find it ridiculous if we say they fixed "the problem" when they move to https.
Should I have requested a CVE?
I don't care about CVEs much, but if CVEs start being assigned to anything like this, they should be for lack of signatures or lack of signature verification in the vendor's recommended software installation or update mechanism or lack of a way to verify the signing key or lack of key verification in the vendor's recommended procedures (where applicable). (With key verification, it gets tricky. So probably those issues are not CVE-worthy yet, except in extreme cases where e.g. new signing keys would be downloaded automatically with no verification.) They should not be for use of http, nor for https vulnerabilities. https does offer a security aspect that signatures don't: it hides from some observers which exact software is being downloaded (and maybe that it's a software download at all). It doesn't do that perfectly because the target address and transfer timings and sizes may be revealing, but I do acknowledge there's some subtle improvement over http here. I just think this is far less important than ensuring authenticity of the software. So let's demand signatures and signature verification first, and let's not be distracted by http vs. https. Alexander
Current thread:
- Re: CVE for Kali Linux, (continued)
- Re: CVE for Kali Linux Florian Weimer (Mar 22)
- Re: CVE for Kali Linux Daniel Micay (Mar 22)
- Re: CVE for Kali Linux Amos Jeffries (Mar 22)
- Re: CVE for Kali Linux Daniel Micay (Mar 22)
- Re: CVE for Kali Linux Michael Samuel (Mar 21)
- Re: CVE for Kali Linux Florian Weimer (Mar 22)
- Re: CVE for Kali Linux Kurt Seifried (Mar 22)
- Re: CVE for Kali Linux Jeremy Stanley (Mar 22)
- Re: CVE for Kali Linux Kurt Seifried (Mar 22)
- Re: CVE for Kali Linux David A. Wheeler (Mar 22)
- Re: CVE for Kali Linux Solar Designer (Mar 22)
- Re: CVE for Kali Linux Solar Designer (Mar 22)
- Re: CVE for Kali Linux Kurt Seifried (Mar 22)
- Re: CVE for Kali Linux Donald Stufft (Mar 22)
- Re: CVE for Kali Linux Daniel Micay (Mar 22)
- Re: CVE for Kali Linux Kristian Fiskerstrand (Mar 22)
- Re: CVE for Kali Linux Jeremy Stanley (Mar 22)
- Re: CVE for Kali Linux David A. Wheeler (Mar 22)
- Re: CVE for Kali Linux Daniel Micay (Mar 22)
- Re: CVE for Kali Linux Stephen Kitt (Mar 22)
- Re: CVE for Kali Linux Daniel Micay (Mar 22)