Ubuntu QA:
BlogBrainstormPackage status
Log in
Ubuntu QA
The Ubuntu community has contributed 21986 ideas, 135057 comments, 2615221 votes
Idea sandbox Idea sandbox
Popular ideas Popular ideas
Ideas in development Ideas in development
Implemented ideas Implemented ideas
Idea #11010: SSL secured repository

Written by Eldmannen the 10 Jul 08 at 23:50. Category: Security. Related project: Nothing/Others. Status: New
Rationale
I would like to be able to connect to the software repository using a secure connection that uses SSL.

This will prevent man-in-the-middle attacks (MITM).

It will also prevent example a totalitarian government to snoop on what I download or update. Example, maybe I download cryptography, anonymity or privacy software.

It will also insure that the repository is the real repository, and not a fake one that hosts a Trojan horse or a keystroke logger.
Tags: repository SSL

58
votes
up equal down
Solution #1: Auto-generated solution of idea #11010
Written by Eldmannen the 10 Jul 08 at 23:50.
Ubuntu Brainstorm was updated in January 2009. Since the idea #11010 was submitted before this update, its rationale and solution are not separated. Please vote accordingly, and if you have the necessary rights, please separate the rationale from the solution. Thanks!

Propose your solution

Attachments
No attachments.


Duplicates


Comments
Eldmannen wrote on the 10 Jul 08 at 23:52
In light of;
* http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-packa ge-managers.html

Also read;
* http://it.slashdot.org/it/08/07/10/227220.shtml

"Furthermore, the researchers created a fictitious administrator and company name and were able to lease a server and get it listed as an official mirror for all the distributions they tried (Ubuntu, Debian, Fedora, CentOS, and OpenSUSE)"

droetker wrote on the 11 Jul 08 at 05:16
Er - you cannot SSL-enhanced download cryptographic software under a totalitarian government - because to encrypted-download cryptographic software you need first cryptographic software.

but anyway, the option should be there.
;-)

Eldmannen wrote on the 11 Jul 08 at 14:18
droetker,
Hehe. Well everyone have a browser with SSL support.
Totalitarian governments probably would let you use SSL (which comes with OS) for banking sites, but might not like to see that you download TrueCrypt or Tor.

hspaans wrote on the 13 Jul 08 at 14:57
-1 SSL doesn't add any benefits, package signing does. DEB/RPM is capable to have package signatures.

Auzy wrote on the 13 Jul 08 at 15:24
SSL has benefits too hspaans.

The main one is that it prevents a man-in-the-middle attack, where a hacker injects data into the stream that exploits the system (buffer overflow in the stream, just like hacking a browser). Another might be sending data to the client which has a bad signature, but tracker scans the file, and has a flaw in the module that reads the packages.

Either way, it should be secure point-to-point, even if my suggestion is an unlikely scenario.


allstar wrote on the 28 Jul 08 at 12:02
Really dont understand the idea, every package is GPG signed, so why would be SSL needed???

elegie wrote on the 11 Jan 10 at 06:44
Are packages always digitally signed? When looking at the file list for the gnome-sudoku (i386 architecture) package (version 1:2.28.0-0ubuntu1, as of this writing) at the packages.ubuntu.com site (http://packages.ubuntu.com/karmic/i386/gnome-sudoku/filelist), for example, there do not seem to be any *.gpg or *.pgp or *.sig files in the package.

elegie wrote on the 11 Jan 10 at 06:47
In my previous comment, the URL was not included correctly. It should be possible to correctly access the URL via the following:

http://packages.ubuntu.com/karmic/i386/gnome-sudoku/filelist

mikropolip wrote on the 2 Mar 11 at 13:07
Elegie, Debian/Ubuntu signs not the packages themselves but a full repository index with checksums. I.e. after a package is downloaded it's checksum is verified against known checksum in a gpg-signed file.

----

I would definitely pay for a secure mirror access. I hope that Canonical will bundle it with tech support package.


Post your comment