Hacker News new | ask | show | jobs
by colejohnson66 876 days ago
Can someone explain how this is a security problem? While GPG key verification would be the best way to ensure authenticity, it's doing nothing different from what almost everyone does: download the ISO from the distro's own HTTPS site. It then goes beyond what most people do and validates that the hashes matche.
8 comments
JeremyNT 876 days ago
IMO you're exactly right.

I just looked at the shell script and it's not "random" at all, it's getting both the checksum and the ISO from the official source over TLS.

The only way this technique is going to fail is if the distro site is compromised, their DNS lapses, or if there's a MITM attack combined with an incorrectly issued certificate. GPG would be more robust but it's hardly like what this tool is doing is some unforgivable failure either.

It's not that the OP is wrong but I think they give a really dire view of what's happening here.

link
npteljes 876 days ago
Getting the signature and the file from the same place is questionable practice in itself. If the place is hacked, then all the hacker needs to do is to just hash his own file, which has happened in at least one high profile case [0]. And this practice doesn't even offer any extra protection if the resource was accessed with HTTPS in the first place.

[0] https://www.zdnet.com/article/hacker-hundreds-were-tricked-i...

link
repelsteeltje 876 days ago
Absolutely true, but one additional factor (or vector) is that this adds a level of indirection. That is, you're trusting the Quickemu people to take the same diligence you yourself would do when downloading an ISO from, say ubuntu.com for each and every target I can conveniently install with Quickemu.

It's a subtle difference, but the trust-chain could indeed be (mildly) improved by re-distributing the upstream gpg keys.

link
Joker_vD 876 days ago
Eh, you can fetch the GPG keys from some GPG keyserver, it's not like those keys are just random files from the Internet. They're cross-signed, after all!
link
IshKebab 875 days ago
How do you know which keys to get? Let me guess... you read their website.
link
funcDropShadow 875 days ago
> It then goes beyond what most people do and validates that the hashes matche.

It might go above and beyond what most people are doing, but not what most tools are doing. Old school package managers are still a step ahead in this area, because they use GPG to check the authenticity of the data files, independent of the transportation channel. A website to download files and checksums is one such channel. This enables supporting multiple transportation channels, then it was a mirror of ftp mirrors. Today, it might be bittorent or ipfs or a CDN. And GPG supports revoking the trust. Checksums that are hardcoded into a tool cannot be revoked.

As soon as we start to codify practices into tools, they become easier to game and attack. Therefore tools should be held to higher security standards than humans.

link
st3fan 876 days ago
Because you wrote HTTPS in italic .. HTTPS doesn't mean anything. Both the good and bad actors can have perfectly valid HTTPS configured. It is not a good indicator of trustworthiness of the actual thing you download.
link
hn_throwaway_99 876 days ago
> HTTPS doesn't mean anything.

That's not accurate at all. HTTPS should mean "we've validated that the content you're receiving comes from the registered domain that you've hit". Yes, it's possible that the domain host itself was compromised, or that the domain owner himself is malicious, but at the end of the day you have to trust the entity you're getting the content from. HTTPS says, importantly, "You're getting the content from whom you think you're getting it from."

link
st3fan 876 days ago
Yes but we abandoned that idea a while ago. There are no more green locks in browsers. Nobody buys those expensive certificates that proof ownership. When you curl something it doesn't show anything unless it is an actual invalid certificate.

You are correct that it _should mean_ but reality today is that it doesn't mean anything.

link
yjftsjthsd-h 875 days ago
No, it still means that you've connected to the domain that you wanted to connect to and the connection is reasonably resistant to MITM attacks. It doesn't say anything about who controls the domain, but what it provides still isn't nothing.
link
st3fan 875 days ago
It is not about the domain.

"It is not a good indicator of trustworthiness of the actual thing you download."

I just downloaded something with malware from github.com. I indeed wanted to connect to github.com and I trust that it is Github.com. But again ... it did not say _anything_ about the trustworthyness of the _actual_ thing I did, which was to download an asset from that domain.

That is my point. In the context of this discussion about downloading dependencies.

link
funcDropShadow 875 days ago
But by using GPG to check the authenticity of the actual files that are downloaded, we can remove the web site -- whether https is sufficienctly secure or not -- from the trust chain all together. The shorter the trust chain, the better.
link
electroly 876 days ago
> HTTPS says, importantly, "You're getting the content from whom you think you're getting it from."

You need certificate pinning to know this for sure, due to the existence of MITM HTTPS spoofing in things like corporate firewalls. HTTPS alone isn't enough; you have to confirm the certificate is the one you expected. (You can pin the CA cert rather than the leaf certificate if you want, if you trust the CA; that still prevents MITM spoofing.)

link
brirec 876 days ago
I’m not aware of any HTTPS MITM that can function properly without adding its own certificate to the trusted roots on your system (or dismissing a big red warning for every site), so I don’t think certificate pinning is necessary in such an environment (if the concern is MITM by a corporate firewall).

An attacker would still need to either have attacked the domain in question, or be able to forge arbitrary trusted certificates.

link
yjftsjthsd-h 876 days ago
If an attack requires compromising my operating system certificate store, I'm reasonably comfortable excluding it from most of my threat models.
link
electroly 875 days ago
Obviously you choose your own relevant threat models, but it's common to do in iOS apps--many apps are including it in their threat models. Pinning the CA cert is what Apple recommends to app developers. It's not an unreasonable thing to do.

https://developer.apple.com/news/?id=g9ejcf8y

link
yjftsjthsd-h 875 days ago
That link discusses how to do it but not why. The most likely thing that occurs to me is that iOS apps consider the user a potentially hostile actor in their threat model, which is... technically a valid model, but in the context of this thread I don't that counts as a real concern.
link
Zuiii 874 days ago
I wouldn't be sure about most. I and everyone I worked with took gpg verification seriously. I always verify isos. Always.

People who are responding to you with "you are absolutely right" might not represent the silent majority (within our field, not talking about normal users).

link
fsflover 875 days ago
https://www.qubes-os.org/security/verifying-signatures/#what...
link
EasyMark 876 days ago
Trust is an input into any security equation. Do you trust all sources of these files? I don't think anyone was challenging gpg
link