Deficiencies wrt. CentOS

I've posted a few corrections on the original blog entry.   I'll post here as well.



Hello, I'm one of the authors of the study.   I wanted to first of all thank you for
commenting on our research.   One of the major benefits we hoped would come from making this
public is that the Linux community would become more aware and interested in fixing the
problems we point out.


I also wanted to respond to several of the issues you brought up in your blog post.   First, I
appreciate you pointing out that many distributions check to see if their mirrors are current
and try to remove mirrors that are not.   We under-emphasized this in the webpage and other
documents because we did not view this as a mechanism used to detect a malicious party (we
thought the intent was to detect negligent administrators and broken scripts).   As I'm sure
you and the savvy reader are aware, it is possible for a web server to serve different content
to different users.   We examined our web request logs from our CentOS mirror and I believe we
can identify the "checking bot" IP addresses.   If we were malicious, we could serve "good"
content to your checking bot and "malicious" content to other users.   I would be happy to
provide what I believe to be the IPs used to check if a mirror is current to you offline for
verification / rebuttal.   However, since you view this information as important to the
security of your users, I will not list the information here.

Additionally, I wanted to mention that we found significant security problems with Fedora's
MirrorManager (our FAQ talks about how it can be used to target attacks).   However, other
redirectors we looked at (like Download Redirector for OpenSUSE) do improve security in a
similar manner to what you describe.   I was wondering if we could talk more offline about how
your mirror list redirection works so we can discuss the potential for abuse? 


I also wondered if you might want to look in detail at the other attacks page of the web site
and the technical report which mentions detailed information about flaws in YUM.   We would be
happy to discuss the feasibility of attacks that target these issues with you.   However, I
will point out one attack that is extremely simple that I hope illustrates there is a real
danger to your users.   If I control a mirror and you attempt to retrieve a file from my
mirror, I can return an endless stream of data which (on YUM) will fill the disk and crash the
client system (stopping logging, corrupt databases, etc.).   This is obviously a real threat
to all of your users regardless of any mirror redirection strategies you perform.

Anyways, we thank you for taking a look at our research and hope to hear more rebuttal /
confirmation in the future.

Thanks,
Justin Cappos