Mail archive
alpine-security

[alpine-security] Integrity of current package distribution system

From: Sander Maijers <s.n.maijers_at_gmail.com>
Date: Thu, 24 Mar 2016 19:12:30 +0100

Hi all,

I've noticed that the Alpine Linux packages mirrors URLs all have the
http scheme instead of https.
  http://rsync.alpinelinux.org/alpine/MIRRORS.txt

Apparently, the alpinelinux.org DNS zone is not signed either.
  http://dnsviz.net/d/nl.alpinelinux.org/dnssec/

Packages are being signed for some time though.
  http://wiki.alpinelinux.org/wiki/Upgrade_to_repository_main

If this analysis is correct, then I think an attacker should be able set up a
fake packages mirror with matching signatures, and trick targets into
resolving well-known Alpine Linux packages mirrors to this fake
mirror. This leads me to conclude that a man-in-the-middle attack
against the Alpine Linux package mirrors is a feasible way to plant
backdoors into Alpine Linux hosts that undergo `apk add`.

A quick and free solution would be to use e.g. Let's Encrypt to
generate valid TLS certificates for all mirrors,
  https://letsencrypt.org/
and additionally DNSSEC-signing alpinelinux.org would bring some
further reassurance (e.g., also for non-HTTP traffic).

It appears that Red Hat does already see the value of distributing both
package metadata and data via HTTP over TLS.
  https://securityblog.redhat.com/2015/08/19/secure-distribution-of-rpm-packages/

Best,
Sander


---
Unsubscribe:  alpine-security+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-security+help_at_lists.alpinelinux.org
---
Received on Thu Mar 24 2016 - 19:12:30 GMT