@aral Debian *really* needs to enable HTTPS repos by default. Enough is enough. #InfoSec

@rysiek @aral it's all PGP signed, what's the point? Allow registrars to MITM?

@alrs @aral perhaps consider reading the link in the parent toot, and then let's talk.

@rysiek @aral @alrs

the problem is with the way APT does the signature check, not HTTPS.

HTTPS is a bandaid that will hide security problems in these types of parsing scenarios.

so no, https is not the solution.

@kaniini @alrs @aral fair. But I'll take a band-aid in the meantime. It would have stopped this attack (and others linked to in the article).

@rysiek @aral @alrs

https does not do shit. at all. okay now you upgraded the risk factor from script kiddie to script kiddie who has a reseller agreement with a CA. cool.

@kaniini @alrs @aral I will take that upgrade, especially since the cost is negligible and deployment trivial.

@rysiek @aral @alrs

the cost to who? you?

what about the cost to the planet for all of the additional energy wasted on unnecessary TLS to transport already cryptographically secure data?

what about the labor costs for companies and projects to manage their X509 hygiene?

#InfoSec people are charlatans as usual

@kaniini @alrs @aral Debian already maintains X509 infrastructure, so no additional management/deployment/etc cost there.

And for the other thing, I'd like to see a study of TLS energy impact (I really would).

@rysiek @aral @alrs

hey, did you know that 99.9999999999% of Debian repo traffic is on third-party mirrors? if people followed your X509 advice there's be leaked certificates all over the damn place.

again, #InfoSec = charlatanism

@kaniini @alrs @aral @rysiek multi-layer defense is a lie anyways! Just force people to write bug-free code and fire them if they don't.
Why bother with partial mitigations…

But for real, it mostly looks like you value different threats differently. Not whether InfoSec is heart worms or not.

@schmittlauch @rysiek @aral @alrs

the real threat is infosec idiocy and the cure comes in the form of .45 caliber ammunition honestly.

@kaniini @alrs @aral and now I have to curl all Debian mirrors and check if they support HTTPS already, great.

@kaniini @alrs @aral there we go: hackerspace.pl/~rysiek/debian-

Can't be bothered to do the exact stats now on how many Debian mirrors support HTTPS, but seems like more than 33%, less than 66%.

Yes, the shell monstrosity is fugly.

You do of course realize that leaked certs don't provide worse security than no cert...

Right now, RCE on the most popular Linux distributions at public networks around the world is a simple mitmproxy away. This has happened repeatedly, and every time infosec says the same thing: TLS would have made this attack too expensive for 99% of attackers. All we ever hear back is inane comments like "it's just this once" or "we verify the signatures, it doesn't really matter".


the solution is not TLS. like all other vulnerable software, the solution is fixing the package manager's parsers, so that invalid data is correctly rejected.

whether TLS should be used to secure a repository or not is an entirely different subject, but TLS itself is not a prevention of RCE, in fact it will cause people to stop fuzzing package managers, and bugs will stop being fixed.

to recap, in case you missed it, the solution is to FIX THE DAMN BUGS.

Once again, TLS would have stopped 99% of attackers, and stops them in the future. Who knows who else found this before it was disclosed? There will never be no security bugs. Nobody is going to stop looking for bugs. Just like nobody stopped looming for bugs in any other program that switched to TLS.


tired: properly fixing software bugs

wired: using TLS as a generic internet condom and praying that a root certificate authority's keys aren't factored

And in the process, stop countless abusive spouses, stalkers, and bosses from installing spyware on computers all over the world.

But no, if it doesn't stop a state adversary, of course it serves no purpose in your self-absorbed thought experiment.


yeah man, TLS definitely stops abusive spouses, stalkers and bosses from installing spyware on computers.

It literally does in this case. I don't think you understand how hard it is to exploit a CA, versus how trivial this attack is.


you must be smoking some real good shit to come up with this threat model!

see, if i want to spy on what my spouse is doing, i will just put a RAT on their computer, which will take screenshots and log keystrokes.

i would definitely not suggest anyone come to you for espionage strategies.


i mean, i want to reiterate: your threat model is really bizzare! if i am a boss or jealous spouse, i have physical access to the machine! why do i need to fuck around with an MITM at all?

Show more

One of my coworkers has a stalker. You think this is outside of their threat model?

Show more
@rysiek @aral @alrs @kaniini This is one of those arguments I got into five years ago. There are of course other reasons why you might not want the entire package list for a given server to be transferred in the clear.
@bob @rysiek @aral @alrs

approximately zero package managers send your package list anywhere. except conary and that package manager is dead.

they may fetch files, sure, but if you want to prevent inference of server package lists you should be using an internal mirror anyway.

@kaniini Seeing what packages are requested, particularly during major upgrades / release updates, is effectively identical to transferring your local package list to the server. Or, over HTTP transport, all points between you and same.

You seem to have strong feelings, violent tendencies, and little actual clue as to security. This has proved a poor mix in my experience. I hope your mileage differs.

I somehow doubt it.

@alrs @aral @rysiek @bob

@dredmorbius @bob @rysiek @aral @alrs

with all due respect, you have no idea who the fuck i am or what the fuck i do. but you sure talk a big game.

i've been designing actually secure systems and networks for the past decade, and have also written major parts of a major package manager and i can tell you this: https is not the point at all here, but having the repos locally.

#InfoSec charlatans always talk the talk, but you all never walk the walk, and i'm the person that gets hired to fix your mess when the project gets blown to hell.
@kaniini @dredmorbius @bob @rysiek @aral @alrs I'd just like to interject for a moment. I've literally been removing trash from the internet for the past decade plus. i know how to form coalitions of upstream ISPs to force deplatforming. don't play with me unless you want to learn what this means.
@yolo @kaniini @dredmorbius @bob @rysiek @aral @alrs
imagine pretending to be an internet tough guy with a bunny girl avatar lololololol
@levi @yolo

i wasn't really going for that aesthetic with that response, but i can see the resemblance i guess...

i just didn't like his own internet tough guy response to me.

@levi Yeah, but the _other_ dog in this fight is a space alien cat.

Who's a girl gonna bet the bank on in this mad mad mad mad mad mad world?

@levi @alrs @dredmorbius @yolo @rysiek @bob @kaniini @aral i guess i'll link to this thread the next time someone gets excited because people in the fediverse are so much nicer than those on twitter :)

@levi ooooohhkaaay, (but that site is a normal forum and not in the fediverse, is it?)

@zalandocalrissian @aral @kaniini @bob @rysiek @yolo @dredmorbius @alrs
what in the name of autism, kaniini is still keeping this thread going. Just call them faggots and move on with it kaniini, it's not worth arguing about whatever it is


Look, I don't enjoy name-calling and ad personam arguments regadles of which side of the discussion I am on.

If you want to call people autists, do it somewhere where I don't have to interface with it.

@rysiek @aral Personally I don't care too much whether they do HTTP or HTTPS, the other fixes would be needed as well anyways.

This is easily exploitable with https too, http just makes for a somewhat larger set of people that can exploit it...

@maswan I would say HTTPS makes the set of people able to exploit it *considerably* smaller. And again, I am not saying the bug should not be fixed -- it absolutely should.

But people make mistakes, bugs happen, and defense in depth is a thing. HTTPS would make exploitation considerably harder.

Sign in to participate in the conversation
Aral’s Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!