| 1 |
On Fri, 06 Mar 2015 10:20:27 -0500 |
| 2 |
"Rick \"Zero_Chaos\" Farina" <zerochaos@g.o> wrote: |
| 3 |
|
| 4 |
> On 03/06/15 08:53, Mark Kubacki wrote: |
| 5 |
> > 2015-03-06 1:56 GMT+01:00 Rick "Zero_Chaos" Farina |
| 6 |
> > <zerochaos@g.o>: |
| 7 |
> >> |
| 8 |
> >> tl;dr webrsync-gpg is a built in feature of the package manager |
| 9 |
> >> which OPTIONALLY adds a significant amount of security against the |
| 10 |
> >> attacks described on your website. This is not currently the |
| 11 |
> >> default setting, however, it is described in many hardening guides |
| 12 |
> >> for gentoo and widely used among the security conscious. |
| 13 |
> > |
| 14 |
> > Without numbers backing that up this is speculation. |
| 15 |
> |
| 16 |
> 5,7,16,38,42. There are some numbers to back up what I'm saying. I |
| 17 |
> have been doing security work for over 15 years and I'm a professional |
| 18 |
> pen-tester. If you want to read the portage code to verify what I |
| 19 |
> said that's fine, but I'm reasonably confident I distilled what |
| 20 |
> portage does into english. |
| 21 |
> > |
| 22 |
> > Given the default settings (without webrsync-gpg)…: |
| 23 |
> > |
| 24 |
> >> (8) Wrong software installation. |
| 25 |
> > |
| 26 |
> > Observe the DNS requests for the rsync- or webrsync mirror. They're |
| 27 |
> > not encrypted and give you a nice heads-up. |
| 28 |
> |
| 29 |
> Yup, dns is basically never encrypted, this is not new information or |
| 30 |
> a new attack. |
| 31 |
> > |
| 32 |
> > A. (data in transit) It's almost never HTTPS and/or without |
| 33 |
> > authentication, so you can easily proceed to hijacking the |
| 34 |
> > connection. |
| 35 |
> > - Primed that way (DNS) insert a new rule into a router (or |
| 36 |
> > nameserver) along the path or within the DC to redirect the |
| 37 |
> > transaction. (See "quantum insert".) |
| 38 |
> |
| 39 |
> Yup, this was discussed, however, it doesn't matter, and I'll explain |
| 40 |
> why. The portage tree itself is a tarball with a signature attached, |
| 41 |
> that means that short of coercion, the information in the portage tree |
| 42 |
> should be correct (in the case of webrsync-gpg). The Manifest file |
| 43 |
> for each package contains a sha256, sha512, and whirlpool hash for |
| 44 |
> each file (including the source tarballs which would be downloaded to |
| 45 |
> install) and ALL of them must match. Good luck modifying the file |
| 46 |
> and getting all three hashs to match, I would suggest that is |
| 47 |
> statistically impossible. Yes, an attacker could easily pass any file |
| 48 |
> they like, but portage would fail to validate it and refuse to |
| 49 |
> continue. |
| 50 |
> > |
| 51 |
> > B. (data at rest) Bribe or coerce the owner of the (portage tree) |
| 52 |
> > mirror. Manifests and ebuilds are not centrally signed and there is |
| 53 |
> > no authoritative "signing transparency"/record (see "certificate |
| 54 |
> > transparency"). |
| 55 |
> > |
| 56 |
> Only the portage tree is centrally signed, and currently the manifest |
| 57 |
> signatures aren't even verified automatically at this point. Yes, I |
| 58 |
> completely agree that a gentoo dev could be coerced or bribed to add |
| 59 |
> malicious code to the repository which would then get signed and |
| 60 |
> shipped with the secure tarball. This avenue of attack is very |
| 61 |
> difficult to stop. If would be cool to have some kind of automated |
| 62 |
> check for malicious codes, however, I doubt it would be all that |
| 63 |
> effective. |
| 64 |
> |
| 65 |
> -Zero |
| 66 |
> |
| 67 |
|
| 68 |
I have refrained from replying till now because I don't consider myself |
| 69 |
qualified to answer security issues like these. |
| 70 |
|
| 71 |
But, for the few holes there are currently in portage's security |
| 72 |
methods, there are already efforts underway to plug them. Using a new |
| 73 |
project called gentoo-keys (a gpg-key management app) portage will be |
| 74 |
able to independently able to verify the gpg signed Manifest |
| 75 |
files provided with each package. So, even if the user does not use |
| 76 |
the gpg signed emerge-webrsync method. There will still be an |
| 77 |
alternate authentication method on the package level. There are other |
| 78 |
steps being taken as well in other areas of the tree handling and |
| 79 |
building as well, but portage verifying the Manifest file is the next |
| 80 |
step being taken with gentoo-keys. |
| 81 |
|
| 82 |
What Zero did not mention was that a user can independently verify the |
| 83 |
gpg signature of each Manifest file now. The developer gpg keys are |
| 84 |
listed and available. The gentoo-keys project is just automating the |
| 85 |
whole process. |
| 86 |
|
| 87 |
-- |
| 88 |
Brian Dolbec <dolsen> |
Archives