Re: CVE for Kali Linux

[Solar Designer <solar () openwall com>]

On Sun, Mar 22, 2015 at 08:23:00PM +0300, Solar Designer wrote:
> On Sun, Mar 22, 2015 at 12:54:57PM -0400, David A. Wheeler wrote:
> > On 2015-02-26 I reported to Cygwin that they had a similar man-in-the-middle issue.
> > The Cygwin package manager (which downloaded all other packages) was unprotected
> > and downloaded using http (as http://cygwin.com/setup-x86.exe or http://cygwin.com/setup-x86_64.exe).
> > They changed it to load with HTTPS, and later added HTTP Strict Transport Security (HSTS).
>
> IMO, http vs. https is a red herring.  We shouldn't be focusing on
> security of software downloads, but rather on authenticity of the
> software.  If the distribution web server gets compromised, https
> doesn't help.  Thus, GPG signatures and the like.

I think I need to add that Cygwin's setup-*.exe was special, and that it
actually needed the switch to https.  (In addition to having proper
signatures for it.)  Thank you, David!

Other software downloads also benefit from https slightly - not only in
the way I mentioned (partially hiding from some observers which exact
software is being downloaded), but also through providing some limited
security from MITM attacks for people's manual downloads even when those
people wouldn't bother to verify signatures.  This is not limited to
just Cygwin, although with Cygwin's setup-*.exe I think it mattered more
than for most other software.

However, I think this is an operations best practices issue and not a
software issue, whereas lack of proper signatures in a software update
mechanism is much closer to being an issue with the software itself.

Alexander