Hi all – I was thrown off by the URLs in the mirror list. They're all
insecure / http. Is Alpine literally making unencrypted http requests, or
are they automatically upgraded to https by apk?
The website for the kernel.org repos are https, like
https://mirrors.edge.kernel.org/alpine/latest-stable/, but the URLs I see
in Alpine are just http.
Since we're talking about code running with all kinds of privileges, it
would be a huge problem if downloaded code wasn't coming in over a secure
connection.
Cheers,
Joe
Hi Joe,
from my understanding this code is signed and the signature is checked before it is installed. Therefore it makes no difference it is coming over a secure connection or not.
Cheers, Daniel
On Sat, 9 May 2020 13:32:41 -0700
Joe Duarte <songofapollo@gmail.com> wrote:
> Hi all – I was thrown off by the URLs in the mirror list. They're all> insecure / http. Is Alpine literally making unencrypted http requests, or> are they automatically upgraded to https by apk?> > The website for the kernel.org repos are https, like> https://mirrors.edge.kernel.org/alpine/latest-stable/, but the URLs I see> in Alpine are just http.> > Since we're talking about code running with all kinds of privileges, it> would be a huge problem if downloaded code wasn't coming in over a secure> connection.> > Cheers,> > Joe
> Is Alpine literally making unencrypted http requests?
Yes. You need to manually update /etc/apk/repositories file to https urls.
There is no immediate problem, because packages are signed and verified on install,
but you're right https should be used by default.
Please file an issue at https://gitlab.alpinelinux.org/alpine/aports/-/issues so it's not forgotten.
Hello,
On Saturday, May 9, 2020 2:32:41 PM MDT Joe Duarte wrote:
> Hi all – I was thrown off by the URLs in the mirror list. They're all> insecure / http. Is Alpine literally making unencrypted http requests, or> are they automatically upgraded to https by apk?> > The website for the kernel.org repos are https, like> https://mirrors.edge.kernel.org/alpine/latest-stable/, but the URLs I see> in Alpine are just http.> > Since we're talking about code running with all kinds of privileges, it> would be a huge problem if downloaded code wasn't coming in over a secure> connection.
APK packages are secured with a signature-based chain of trust, and as long as
that chain of trust is not compromised, it does not matter if the connection
itself is secure or not.
There is, incidentally, no knowledge of any compromise of our trust chain at
this time, and if there were, using HTTPS to deliver the packages would not
change anything, as the compromised packages would still have valid
signatures.
The primary concern of using a non-HTTPS channel is one of information
leakage; an attacker can learn based on observing your update traffic what
packages are installed on a target system. If that is a concern to you, then
many mirrors are HTTPS-enabled, perhaps it makes sense to provide a list of
HTTPS mirrors along side the HTTP mirror list.
Ariadne
Hello,
On Sunday, May 10, 2020 7:17:18 AM MDT Konstantin Kulikov wrote:
> > Is Alpine literally making unencrypted http requests?> > Yes. You need to manually update /etc/apk/repositories file to https urls.> There is no immediate problem, because packages are signed and verified on> install, but you're right https should be used by default.> > Please file an issue at> https://gitlab.alpinelinux.org/alpine/aports/-/issues so it's not> forgotten.
Traditionally, we haven't seen this to be a huge problem because the update
channel itself is secured against tampering. The worst that could be done
over an HTTP channel is suppression of future updates, but in practice, the
more value an HTTP channel has to an attacker is intelligence gathering (e.g.
these packages have been downloaded by the host).
I think, however, in 2020 it is probably a good idea to prefer https over http
mirrors. A good solution would be to have two lists, and ask users if they
wish to use an http or https update channel.
Ariadne
> I think, however, in 2020 it is probably a good idea to prefer https over http > mirrors. A good solution would be to have two lists, and ask users if they > wish to use an http or https update channel.
There is absolutely no reason to give users an option to go insecure,
especially if you can manually edit repositories file.
Just make sure ca-certificates and haveged are part of standard/virt iso releases.
Hello,
On 2020-05-10 21:04:15 -0600, Ariadne Conill wrote:
> I think, however, in 2020 it is probably a good idea to prefer https over http > mirrors. A good solution would be to have two lists, and ask users if they > wish to use an http or https update channel.
So is there any chance of dl-cdn.alpinelinux.org starting to work with
https? Or is that something that is not really doable?
Snippet from irc log for more context:
2020-05-06 14:53:23 <gray_-_wolf> is it expected that I cannot use https with dl-cdn.alpinelinux.org? (URL: https://dl-cdn.alpinelinux.org/alpine/v3.11/main/x86_64/apk-tools-static-2.10.5-r0.apk )
2020-05-06 14:53:33 <gray_-_wolf> I'm getting curl: (51) SSL: certificate subject name (default.ssl.fastly.net) does not match target host name 'dl-cdn.alpinelinux.org'
2020-05-06 14:55:01 <ikke> yes
2020-05-06 14:55:21 <ikke> fastly is hosting it, and they don't have a certificate for dl-cdn.alpinelinux.org
2020-05-06 14:55:53 <ikke> gray_-_wolf: this one works: https://alpine.global.ssl.fastly.net/
2020-05-06 14:57:59 <gray_-_wolf> hm but as long as I'm checking the signature, I don't really need the https I guess?
2020-05-06 14:59:21 <ikke> not really, no
W.
--
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.
seems are not necesary! in fact.. https are bit slower and need more
complicated support of software at install steps! alpine linux must be
minimalist! so there's no need of https
2020-05-17 16:27 GMT-04:00, Wolf <wolf@wolfsden.cz>:
> Hello,>> On 2020-05-10 21:04:15 -0600, Ariadne Conill wrote:>> I think, however, in 2020 it is probably a good idea to prefer https over>> http>> mirrors. A good solution would be to have two lists, and ask users if>> they>> wish to use an http or https update channel.>> So is there any chance of dl-cdn.alpinelinux.org starting to work with> https? Or is that something that is not really doable?>>>> Snippet from irc log for more context:>> 2020-05-06 14:53:23 <gray_-_wolf> is it expected that I cannot use https> with dl-cdn.alpinelinux.org? (URL:> https://dl-cdn.alpinelinux.org/alpine/v3.11/main/x86_64/apk-tools-static-2.10.5-r0.apk> )> 2020-05-06 14:53:33 <gray_-_wolf> I'm getting curl: (51) SSL: certificate> subject name (default.ssl.fastly.net) does not match target host name> 'dl-cdn.alpinelinux.org'> 2020-05-06 14:55:01 <ikke> yes> 2020-05-06 14:55:21 <ikke> fastly is hosting it, and they don't have a> certificate for dl-cdn.alpinelinux.org> 2020-05-06 14:55:53 <ikke> gray_-_wolf: this one works:> https://alpine.global.ssl.fastly.net/> 2020-05-06 14:57:59 <gray_-_wolf> hm but as long as I'm checking the> signature, I don't really need the https I guess?> 2020-05-06 14:59:21 <ikke> not really, no>>>> W.>> --> There are only two hard things in Computer Science:> cache invalidation, naming things and off-by-one errors.>
--
Lenz McKAY Gerardo (PICCORO)
http://qgqlochekone.blogspot.com