[acatton]

Just a security reminder from the last time this got posted[1]

This tool downloads random files from the internet, and check their checksum against other random files from the internet. [2]

This is not the best security practice. (The right security practice would be to have the gpg keys of the distro developers committed in the repository, and checking all files against these keys)

This is not downplaying the effort which was put in this project to find the correct flags to pass to QEMU to boot all of these.

[1] https://news.ycombinator.com/item?id=28797129

[2] https://github.com/quickemu-project/quickemu/blob/0c8e1a5205...

[colejohnson66]

Can someone explain how this is a security problem? While GPG key verification would be the best way to ensure authenticity, it's doing nothing different from what almost everyone does: download the ISO from the distro's own HTTPS site. It then goes beyond what most people do and validates that the hashes matche.

[JeremyNT]

IMO you're exactly right.

I just looked at the shell script and it's not "random" at all, it's getting both the checksum and the ISO from the official source over TLS.

The only way this technique is going to fail is if the distro site is compromised, their DNS lapses, or if there's a MITM attack combined with an incorrectly issued certificate. GPG would be more robust but it's hardly like what this tool is doing is some unforgivable failure either.

It's not that the OP is wrong but I think they give a really dire view of what's happening here.

[npteljes]

Getting the signature and the file from the same place is questionable practice in itself. If the place is hacked, then all the hacker needs to do is to just hash his own file, which has happened in at least one high profile case [0]. And this practice doesn't even offer any extra protection if the resource was accessed with HTTPS in the first place.

[0] https://www.zdnet.com/article/hacker-hundreds-were-tricked-i...

[repelsteeltje]

Absolutely true, but one additional factor (or vector) is that this adds a level of indirection. That is, you're trusting the Quickemu people to take the same diligence you yourself would do when downloading an ISO from, say ubuntu.com for each and every target I can conveniently install with Quickemu.

It's a subtle difference, but the trust-chain could indeed be (mildly) improved by re-distributing the upstream gpg keys.

[Joker_vD]

Eh, you can fetch the GPG keys from some GPG keyserver, it's not like those keys are just random files from the Internet. They're cross-signed, after all!

[IshKebab]

How do you know which keys to get? Let me guess... you read their website.

[funcDropShadow]

> It then goes beyond what most people do and validates that the hashes matche.

It might go above and beyond what most people are doing, but not what most tools are doing. Old school package managers are still a step ahead in this area, because they use GPG to check the authenticity of the data files, independent of the transportation channel. A website to download files and checksums is one such channel. This enables supporting multiple transportation channels, then it was a mirror of ftp mirrors. Today, it might be bittorent or ipfs or a CDN. And GPG supports revoking the trust. Checksums that are hardcoded into a tool cannot be revoked.

As soon as we start to codify practices into tools, they become easier to game and attack. Therefore tools should be held to higher security standards than humans.

[st3fan]

Because you wrote HTTPS in italic .. HTTPS doesn't mean anything. Both the good and bad actors can have perfectly valid HTTPS configured. It is not a good indicator of trustworthiness of the actual thing you download.

[hn_throwaway_99]

> HTTPS doesn't mean anything.

That's not accurate at all. HTTPS should mean "we've validated that the content you're receiving comes from the registered domain that you've hit". Yes, it's possible that the domain host itself was compromised, or that the domain owner himself is malicious, but at the end of the day you have to trust the entity you're getting the content from. HTTPS says, importantly, "You're getting the content from whom you think you're getting it from."

[st3fan]

Yes but we abandoned that idea a while ago. There are no more green locks in browsers. Nobody buys those expensive certificates that proof ownership. When you curl something it doesn't show anything unless it is an actual invalid certificate.

You are correct that it _should mean_ but reality today is that it doesn't mean anything.

[yjftsjthsd-h]

No, it still means that you've connected to the domain that you wanted to connect to and the connection is reasonably resistant to MITM attacks. It doesn't say anything about who controls the domain, but what it provides still isn't nothing.

[st3fan]

It is not about the domain.

"It is not a good indicator of trustworthiness of the actual thing you download."

I just downloaded something with malware from github.com. I indeed wanted to connect to github.com and I trust that it is Github.com. But again ... it did not say _anything_ about the trustworthyness of the _actual_ thing I did, which was to download an asset from that domain.

That is my point. In the context of this discussion about downloading dependencies.

[funcDropShadow]

But by using GPG to check the authenticity of the actual files that are downloaded, we can remove the web site -- whether https is sufficienctly secure or not -- from the trust chain all together. The shorter the trust chain, the better.

[electroly]

> HTTPS says, importantly, "You're getting the content from whom you think you're getting it from."

You need certificate pinning to know this for sure, due to the existence of MITM HTTPS spoofing in things like corporate firewalls. HTTPS alone isn't enough; you have to confirm the certificate is the one you expected. (You can pin the CA cert rather than the leaf certificate if you want, if you trust the CA; that still prevents MITM spoofing.)

[brirec]

I’m not aware of any HTTPS MITM that can function properly without adding its own certificate to the trusted roots on your system (or dismissing a big red warning for every site), so I don’t think certificate pinning is necessary in such an environment (if the concern is MITM by a corporate firewall).

An attacker would still need to either have attacked the domain in question, or be able to forge arbitrary trusted certificates.

[yjftsjthsd-h]

If an attack requires compromising my operating system certificate store, I'm reasonably comfortable excluding it from most of my threat models.

[electroly]

Obviously you choose your own relevant threat models, but it's common to do in iOS apps--many apps are including it in their threat models. Pinning the CA cert is what Apple recommends to app developers. It's not an unreasonable thing to do.

https://developer.apple.com/news/?id=g9ejcf8y

[Zuiii]

I wouldn't be sure about most. I and everyone I worked with took gpg verification seriously. I always verify isos. Always.

People who are responding to you with "you are absolutely right" might not represent the silent majority (within our field, not talking about normal users).

[fsflover]

https://www.qubes-os.org/security/verifying-signatures/#what...

[EasyMark]

Trust is an input into any security equation. Do you trust all sources of these files? I don't think anyone was challenging gpg

[jvanderbot]

How much of this is outdated practice? Shouldn't TCP/TLS be doing checksum and origin signing already?

In the days of FTP, checksum and gpg were vital. With http/TCP, you need more GPG due to TCP handling retries checksum etc, but still both due to MitM.

But with https, how does it still matter? It's doing both verifications and signature checks for you.

[acatton]

TLS prevents a different kind of attack, the MitM one which you describe.

GPG signing covers this threat model but much more, the threats include:

* The server runs vulnerable software and is compromised by script-kiddies. They, then, upload arbitrary packages on the server

* The cloud provider is compromised and attackers take over the server from the admin cloud provider account.

* Attacker use a vulnerability (from SSH, HTTPd, ...) to upload arbitrary software packages to the server

GPG doesn't protect against the developer machine getting compromised, but it guarantees that what you're downloading has been issued from the developer's machine.

[jvanderbot]

I agree, but I think that model of GPG is not how it's used any more. I think nowadays people upload a one-shot CI key, which is used to sign builds. So you're basically saying "The usual machine built this". Which is good information, don't get me wrong, but it's much less secure than "John was logged into his laptop and entered the password for the key that signed this"

So, you're right, that GPG verifies source, whereas TLS verifies distribution. I suppose those can be very different things.

Perhaps counter example: https://launchpad.net/~lubuntu-ci/+archive/ubuntu/stable-bac...

> The packages here are from the latest upstream release with WORK IN PROGRESS packaging, built from our repositories on Phabricator. These are going to be manually uploaded to the Backports PPA once they are considered stable.

And presumably "manually" means "signed and uploaded"

[spookie]

No established GNU/Linux distribution is going to half ass GPG signing as you've implied.

[jvanderbot]

Which part is half ass? Manual or automatic?

[spookie]

One shot CI keys. I guess I shouldn't have used that term, it certainly is more work that doing otherwise.

Nevertheless, their advantages offer nothing of value in this context. At least, I think so. Correct me if I'm wrong.

[IshKebab]

> They then upload arbitrary packages on the server

And change the instructions to point to a different GPG key (or none at all).

I think the only situation it possibly helps in is if you are using untrusted mirrors. But then a simple checksum does that too. No need for GPG.

[jvanderbot]

The "different gpg key" would be flagged by a package manager, but (critically) not this tool.

[prmoustache]

Also, author is typing his user password during live streaming with a mechanical keyboard while microphone is on.

[bobim]

You mean that the sound of each key is unique and sufficiently different from the others? Or it has to do with how a person is typing?

[overengineer]

This is an actual attack surface: https://www.researchgate.net/publication/284949922_Keyboard_...

[bobim]

I’ll be yodeling while typing from now on. Happy open-spacing everyone.

[malux85]

It doesn’t need to be unique, it just needs to leak enough information to decrease the search space enough to where brute force (or other methods) can kick in.

[coppsilgold]

Each key will produce a different sound even if it's just a touch screen surface keyboard due to being in different positions on the surface and having a relative position to the microphone - it may be more difficult and require a higher quality microphone.

Once you isolate and cluster all the key sounds you end up with a simple substitution cipher that you can crack in seconds.

[cmiller1]

While this comment doesn't seem 100% serious, I wonder if this kind of attack is made less effective by the trend in mechanical keyboards to isolate the PCB and plate from the case acoustically, e.g. gasket mount, flex cuts, burger mods. In my experience the effect of these changes is each key sounds more similar to the others rather than the traditional case mount setup where each key sound changes drastically based on its proximity to mounting points.

[jampekka]

Poe's law strikes again.

[vdaea]

It doesn't download "random files from the internet", it seems to be using original sources only.

[TylerE]

If you don't control then source, you can't guarantee that what it points to today is what it points to tomorrow.

[password4321]

FWIW:

- Signatures are checked for macOS now

- No signatures are available for Windows

Maybe this year attention from Hacker News will encourage someone to step up and implement signature checking for Linux!

[jampekka]

Still magnitudes better security practice than using any proprietary software or service.

[dncornholio]

My red flag was that there is no explanation of what an "optimised" image is.