[CentOS-devel] False statement about insecurity made on Wiki

Wed Feb 10 04:06:24 UTC 2021
Leon Fauster <leonfauster at googlemail.com>

Am 10.02.21 um 02:41 schrieb Jake Shipton:
> On Wed, 2021-02-10 at 06:48 +1000, Chris Drake wrote:
>> Your Wkii page here:
>>
>> https://wiki.centos.org/FAQ/CentOSStream#Where_is_the_source_code.3F
>>
>> After discussion in which it was confirmed that TLS *could* be
>> implemented "but traditionally we have not done so", was just updated
>> by
>> Manuel Wolfshant with the following lie:-
>>
>> *Note: downloads are hosted on a mirror network, where we cannot
>> mandate
>> that every mirror node runs SSL/TLS, hence using regular http and not
>> enforcing https*
>>
>> False statements are disgusting to begin with, but ones that attempt
>> to
>> excuse the lazy decision to put all CentOS customers at risk are
>> totally
>> unacceptable.  LE is free and easy to use and setup - it's a no-
>> brainer to
>> fix this problem, assuming someone isn't getting a kickback from some
>> 3-letter-agency to leave this exploitable security hole open ?
>> _______________________________________________
>> CentOS-devel mailing list
>> CentOS-devel at centos.org
>> https://lists.centos.org/mailman/listinfo/centos-devel
> 
> Well..
> 
> *Technically* CentOS users are not customers - at all in fact - unless
> they also happen to also own a paid RHEL subscription.
> 
> Now onto the issue at hand. While the info should be accurate, I don't
> think it's a big deal.
> 
> TLS is certainly preferable for the mirror network, it isn't entirely
> required from a security point of view.
> 
> Realistically TLS shines most when you're transporting customer (user
> data) or are dealing with some kind of sensitive information, trying to
> stop prying eyes etc.
> 
>  From a mirror perspective it's not overly important because the only
> protection TLS can add in this case is to prevent RPM tampering. But
> even if someone intercepted your connection and successfully switched
> the RPM while it was downloading the risk is minimal.
> 
> This is because your local machine has the GPG key identity required
> for the packages. All CentOS (and most RPM distros) sign their packages
> with a GPG key, which package managers then use to verify the RPM has
> not been tampered with.
> 
> That's why if you want to install a non-GPG signed package from a repo
> you need to specifically tell yum/dnf to ignore GPG signing.
> 
> So, TLS or not, if your package has been swapped with a fake, your
> package manager should notice this and refuse to install that package.
> 
> The biggest problem from a security point of view would probably be a
> rogue mirror that serves up modified packages.. a rogue mirror could
> also carry TLS.
> 
> That's why you sign the RPM for security.



dnf not checking gpg signature sounds scary:

https://github.com/ansible/ansible/blob/v2.9.13/changelogs/CHANGELOG-v2.9.rst#security-fixes



--
Leon