tickets #2392
closeddownloading repository key should use SSL
100%
Description
Hi
When Adding a repository for debian or ubuntu it is suggested to download the key using http. This allows for a very critical man-in-the-middle attack. Should it not suggest using https, thus SSL?
Also should the http://software.opensuse.org not redirect to using HTTPS?
Best regards
Pascal
Updated by mcaj over 9 years ago
- Assignee set to opensuse-admin
HI Admin,
What is your opinion about this request ?
Martin
Updated by coolo over 9 years ago
Updated by Anonymous over 9 years ago
- Due date set to 2015-12-31
- Status changed from New to In Progress
- Assignee set to Anonymous
- Start date set to 2015-01-12
- Estimated time set to 30.00 h
Hi Pascal
Adding just my notes here - and taking the ticket for now.
pascal@dhermilly.dk wrote:
When Adding a repository for debian or ubuntu it is suggested to download the key using http.
This allows for a very critical man-in-the-middle attack. Should it not suggest using https, thus SSL?
We will enable SSL support next year (means: 2015).
Currently I would say: "only for the repository meta information, not the binary packages as such", as those normally come with their own checksums and signatures.
Also should the http://software.opensuse.org not redirect to using HTTPS?
Not needed for the binary packages, IMHO. Might be that Debian packages are different and rely completely on the SSL encryption of the server (please enlighten me here)?
One of the reasons that I do not want to provide SSL for binary packages is the fact that not all of our mirror servers support SSL. And redirecting a user from one encrypted SSL domain to another one (that might have none or an unkown SSL key) might also be a risk.
https://github.com/openSUSE/open-build-service/issues/449 is also an open issue that we should work on together with the developers.
Regards,
Lars
Updated by tampakrap over 8 years ago
- Assignee changed from Anonymous to 17572
- Private changed from Yes to No
Updated by tampakrap about 7 years ago
- Status changed from In Progress to Closed
partially done, to be continued on https://github.com/openSUSE/software-o-o/issues/123
Updated by tampakrap about 7 years ago
- Status changed from Closed to In Progress
reopenning per darix's request. Current state can be seen at https://lists.opensuse.org/opensuse-security/2017-01/msg00000.html
Updated by tampakrap about 7 years ago
- Assignee changed from Anonymous to Anonymous
Updated by tampakrap over 6 years ago
- Due date set to -4712-01-01
- Start date set to 5000-01-01
due to changes in a related task
Updated by lrupp over 4 years ago
- Status changed from In Progress to Closed
Closing here: the infrastructure supports SSL (https://download.opensuse.org), but the software needs to follow.
-> Nothing for admins, just something that should be tracked.In https://bugzilla.opensuse.org/