[CentOS-devel] False statement about insecurity made on Wiki

On Wed, 2021-02-10 at 06:48 +1000, Chris Drake wrote:
> Your Wkii page here:
> 
> https://wiki.centos.org/FAQ/CentOSStream#Where_is_the_source_code.3F
> 
> After discussion in which it was confirmed that TLS *could* be
> implemented "but traditionally we have not done so", was just updated
> by
> Manuel Wolfshant with the following lie:-
> 
> *Note: downloads are hosted on a mirror network, where we cannot
> mandate
> that every mirror node runs SSL/TLS, hence using regular http and not
> enforcing https*
> 
> False statements are disgusting to begin with, but ones that attempt
> to
> excuse the lazy decision to put all CentOS customers at risk are
> totally
> unacceptable.  LE is free and easy to use and setup - it's a no-
> brainer to
> fix this problem, assuming someone isn't getting a kickback from some
> 3-letter-agency to leave this exploitable security hole open ?
> _______________________________________________
> CentOS-devel mailing list
> CentOS-devel at centos.org
> https://lists.centos.org/mailman/listinfo/centos-devel

Well..

*Technically* CentOS users are not customers - at all in fact - unless
they also happen to also own a paid RHEL subscription.

Now onto the issue at hand. While the info should be accurate, I don't
think it's a big deal.

TLS is certainly preferable for the mirror network, it isn't entirely
required from a security point of view.

Realistically TLS shines most when you're transporting customer (user
data) or are dealing with some kind of sensitive information, trying to
stop prying eyes etc.

>From a mirror perspective it's not overly important because the only
protection TLS can add in this case is to prevent RPM tampering. But
even if someone intercepted your connection and successfully switched
the RPM while it was downloading the risk is minimal.

This is because your local machine has the GPG key identity required
for the packages. All CentOS (and most RPM distros) sign their packages
with a GPG key, which package managers then use to verify the RPM has
not been tampered with.

That's why if you want to install a non-GPG signed package from a repo
you need to specifically tell yum/dnf to ignore GPG signing.

So, TLS or not, if your package has been swapped with a fake, your
package manager should notice this and refuse to install that package.

The biggest problem from a security point of view would probably be a
rogue mirror that serves up modified packages.. a rogue mirror could
also carry TLS.

That's why you sign the RPM for security.

If you're worried that someone sees the package your about to install,
just remember two things:

1) Mirrors are public, everyone can easily know what packages and their
versions exist.

2) If there's an exploitable package just waiting to be installed for
an easy exploit.. whoever has that exploit will probably be randomly
probing systems for it - they won't need to monitor a mirrors
downloads..

This of course is all my quick and short personal opinion, I don't work
for Red Net. I reserve the right to be dead wrong.

Just my 3c.

- Jake