X-Original-To: alpine-devel@mail.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from mail.alpinelinux.org (dallas-a1.alpinelinux.org [127.0.0.1]) by mail.alpinelinux.org (Postfix) with ESMTP id 4A13EDC1B88 for ; Mon, 22 Feb 2016 18:20:00 +0000 (UTC) Received: from mail-in-10.arcor-online.net (mail-in-10.arcor-online.net [151.189.21.50]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.alpinelinux.org (Postfix) with ESMTPS id 8E4D4DC0D58 for ; Mon, 22 Feb 2016 18:19:58 +0000 (UTC) Received: from mail-in-14-z2.arcor-online.net (mail-in-14-z2.arcor-online.net [151.189.8.31]) by mx.arcor.de (Postfix) with ESMTP id 3q8Bcr36KGz8RwF; Mon, 22 Feb 2016 19:19:56 +0100 (CET) Received: from mail-in-17.arcor-online.net (mail-in-17.arcor-online.net [151.189.21.57]) by mail-in-14-z2.arcor-online.net (Postfix) with ESMTP id 657EF209C0B; Mon, 22 Feb 2016 19:19:56 +0100 (CET) X-Greylist: Passed host: 213.182.249.19 X-DKIM: Sendmail DKIM Filter v2.8.2 mail-in-17.arcor-online.net 3q8Bcr1lPnzYZn DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arcor.de; s=mail-in; t=1456165196; bh=TkeqbQvGm5ELHjoOIM7ewF2VuoKcaH8VMVtdemFArZM=; h=Subject:To:References:From:Message-ID:Date:MIME-Version: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=m9nOl8UqoZlPVze+93qCrEorFR4XLwr8dKN0kVDvlEmrdrzExTMWmAr+x7cBvYmxe ZWtwE0b/LHtbLAetSaHxnutpvzdaeW8mTC+H6Eor0fpfot+dis2yODtH6UyB58aqaH O80+F/DXLYgSCnJjWmagf3HBADy/ATHKMBQGFEtg= X-Greylist: Passed host: 213.182.249.19 Received: from [192.168.101.128] (unknown [213.182.249.19]) (Authenticated sender: panthera.tigris@arcor.de) by mail-in-17.arcor-online.net (Postfix) with ESMTPA id 3q8Bcr1lPnzYZn; Mon, 22 Feb 2016 19:19:55 +0100 (CET) Subject: Re: [alpine-devel] What could be done to make Alpine distribution more secure To: Alba Pompeo , alpine-devel@lists.alpinelinux.org References: From: Der Tiger X-Enigmail-Draft-Status: N1110 Message-ID: <56CB514A.3060402@arcor.de> Date: Mon, 22 Feb 2016 19:19:54 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.0 X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP Hi Alba, > I'll start with the obvious HTTPS support. The download links on > http://www.alpinelinux.org/downloads/ all point to a HTTP link. Going SSL won't give the downloader any relevant additional security, since the connection between the server and the downloading client isn't a likely point of attack. Such a Man in the Middle attack is far too much effort only to corrupt the transferred ISO image. It is much easier to take the same approach the Mint hackers took, and attack the website, directly. SSL won't help your there. To make the website hacking-proof, the entire content would have to be on a physically read-only medium (e.g. DVD-R), but I doubt any admin to be willing to handle such hassle. > The certificate is only valid for the following names: > mail.alpinelinux.org, alpinelinux.org The Alpine website uses several sub-domains and the certificate would therefore have to be a wildcard certificate in order to be valid on all sub-levels. Those wildcard certificates are considerably more expensive than any generic certificate. > HTTPS Everywhere installed. Shouldn't it always be preferred? Only, if you can trust the server certificate and you want to transfer data, that would give any listener valuable information. SSL does neither hide your IP address, nor your connection state. Surfing the Alpine website and downloading an Alpine ISO hardly counts as valuable information. SSL only hides (too some degree) the information inside the connection, but not the connection itself. To accomplish a fully encrypted connection, you need tools like VPN. Furthermore, most certificates can be faked, spoofed and even most certificate authorities (CA) are not to be trusted, if it comes to critical data. The entire certificate system has already collapsed due to the system requiring all CAs to be trustworthy. If one CA fails, the entire system falls apart. And today, there are more untrustworthy CAs than trustworthy ones. Offering checksums to every downloaded file does only verify the file's consistency with the original file, but does not prevent any tampering with the files stored on the server. Because, lets face it, if someone is able to hack the website and replaces the downloadable files, he/she is certainly qualified to modify the online displayed checksums, accordingly. The only way known to me to ensure the file contents validity is to offline encrypt the file with a private key and hardcode the public de-cryption key into the static part of the website. Any modifications to the file alone lets the de-cryption fail, while the public key can't be modified without locally accessing the web sever. Regards, Tiger --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---