Project

General

Profile

Bug #8342

Insecure transport of OI cryptographic digests

Added by Charles Morris over 2 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Security
Target version:
-
Start date:
2017-06-05
Due date:
% Done:

100%

Estimated time:
3.00 h
Difficulty:
Bite-size
Tags:
needs-triage

Description

Most of the pages that link to the OpenIndiana Hipster images
are served over https. They do contain links to the digest files,
but the files themselves are served in plaintext.

I support the idea of distributing the images in plaintext (e.g. for compression and caching),
however the digests and the signature files are vulnerable if they are not authenticated.

Distributing broken security is often worse than a lack of security,
due to the mismatch between the expectation of the user and reality.

It is also problematic that there are plaintext pages that link to the images,
(e.g: http://dlc-origin.openindiana.org/) as their links to the digest files (or signature files)
may be modified in transit.

I recommend that the digests be literal in the pages that link to the images, instead of linking elsewhere.

I also recommend that the choice of digest algorithm be reconsidered, although that is not urgent.

Simply, if the configuration isn't changed, there is no way to assure the authenticity of the images.

Thanks,
Charles A. Morris
, cc:

Specifics:

The main site:
https://www.openindiana.org/download/
links to:
http://dlc.openindiana.org/isos/hipster/latest//OI-hipster-gui-20170502.iso
http://dlc.openindiana.org/isos/hipster/latest/OI-hipster-gui-20170502.iso.sha256sum

and the wiki:
https://wiki.openindiana.org/oi/2017.04+Release+notes
links to:
http://dlc.openindiana.org/isos/hipster/20170502/OI-hipster-gui-20170502.iso
http://dlc.openindiana.org/isos/hipster/20170502/OI-hipster-gui-20170502.iso.sha256sum
http://dlc.openindiana.org/isos/hipster/20170502/OI-hipster-gui-20170502.iso.sha256sum.asc

and an insecure page that links to images:
http://dlc-origin.openindiana.org/

There may be others I am unaware of.
Unfortunately I cannot fix the wiki myself as I have no way to know the correct digests. :)

History

#1

Updated by Adam Števko over 2 years ago

Can you elaborate what is "broken security" here? 2017.04 release notes contain clear instructions how to verify downloaded ISO medias securely (https://wiki.openindiana.org/oi/2017.04+Release+notes). There is also a mention about what GPG key ID were are using for signing.

If the files were modified in transit, the checksum will change and GPG will warn you about that. In the next release, we will produce <iso>.sig files to make it even simplier.

Just the fact that some parts are not available via HTTPS, doesn't mean that they can't be verified securely, so I consider this as an unjustified.

#2

Updated by Adam Števko over 2 years ago

  • Status changed from New to Feedback
#3

Updated by Adam Števko over 2 years ago

  • Priority changed from Immediate to Normal
#4

Updated by Charles Morris over 2 years ago

Even if adding a GPG signature to the latest release of OI had fixed the problem, which it did not,
every other release of OpenIndiana Hipster (18 releases since 2013) is vulnerable to attack.

There exist realistic attack scenarios that make the addition of the GPG signature insufficient,
at least in it's current rendition, although it's a welcome addition so I would suggest you continue to do so.

#5

Updated by Charles Morris over 2 years ago

Priority changed from Normal to Immediate

#6

Updated by Adam Števko over 2 years ago

  • Status changed from Feedback to Resolved
  • % Done changed from 0 to 100

Checksums were published on the 2017.04 release notes webpage.

Speaking of realistic attack scenarios, can you point to some source?

Also available in: Atom PDF