User: Password:
|
|
Subscribe / Log in / New account

Fedora and secure release upgrades

Fedora and secure release upgrades

Posted Dec 20, 2012 13:29 UTC (Thu) by n8willis (subscriber, #43041)
In reply to: Fedora and secure release upgrades by etienne
Parent article: Fedora and secure release upgrades

My understanding is that the problem with the scenario you describe is that the F17 tool you use to download said file does not have signature-checking built into _it_, thus you cannot guarantee that a MITM attacker doesn't silently replace the download at some network node in between your machine and the Fedora server. Likely? Probably not.

In short, it's like an induction problem; since the very first version of the tool did not check sigs, the chain of trust cannot be "bootstrapped". The problem has become inserting the fixed/trustable tool somewhere into the insecure sequence.

Nate


(Log in to post comments)

Fedora and secure release upgrades

Posted Dec 20, 2012 15:05 UTC (Thu) by etienne (guest, #25256) [Link]

> cannot guarantee that a MITM attacker doesn't silently replace the download

I was saying that this download is inside a package, so its signature is checked by RPM with Fedora 17 signature - or Fedora 16 signature if you are currently running F16 and have downloaded the F16 upgrade package.
If the problem is that you currently have an insecure/compromised Fedora 17 and you want to upgrade to a secured Fedora18, then there is a problem: the updater cannot use anything of the running system.
But that is not a new problem, if you have an compromised system, you have to wipe it clean and install from fresh.
It is true that encrypting the updater with F18 key is not really useful if you cannot trust the software to decrypt it (which is a Fedora 17 package).

Fedora and secure release upgrades

Posted Dec 20, 2012 15:34 UTC (Thu) by n8willis (subscriber, #43041) [Link]

But the issue that you cannot *know* whether or not your F17 system is compromised by checking it with F17 itself. That's the trust chain problem. To be sure you could trust the alleged F17 key, you would have had to have already downloaded a key asserting to be F16-signed. But to verify that, you would have to have downloaded a key asserting to be F15-signed, and you would have to have an F14-signed key for that, so on. Even if that chain-of-trust would work in theory, all the way back to the bootstrapping of the project, reality is that those older signed-key-packages don't exist (and never will).

Nate


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds