I've noticed that the Alpine Linux packages mirrors URLs all have the
http scheme instead of https.
Apparently, the alpinelinux.org DNS zone is not signed either.
Packages are being signed for some time though.
If this analysis is correct, then I think an attacker should be able set up a
fake packages mirror with matching signatures, and trick targets into
resolving well-known Alpine Linux packages mirrors to this fake
mirror. This leads me to conclude that a man-in-the-middle attack
against the Alpine Linux package mirrors is a feasible way to plant
backdoors into Alpine Linux hosts that undergo `apk add`.
A quick and free solution would be to use e.g. Let's Encrypt to
generate valid TLS certificates for all mirrors,
and additionally DNSSEC-signing alpinelinux.org would bring some
further reassurance (e.g., also for non-HTTP traffic).
It appears that Red Hat does already see the value of distributing both
package metadata and data via HTTP over TLS.
Received on Thu Mar 24 2016 - 19:12:30 GMT