Rich Freeman via plug on 20 Sep 2019 12:18:27 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] The lock down?! Uhh.. why?

On Fri, Sep 20, 2019 at 3:00 PM Drew DeVault via plug
<> wrote:
> > 2. The connection is harder to tamper with in general.
> Not important if the packages are signed.

Great, you get a package that doesn't verify.  That helps you avoid
installing a bad package, but it doesn't help you install a good one.

> > 3. Nobody can feed junk into your connection, which means that if your
> > package manager has some kind of input-sanitization issue you're less
> > vulnerable since only repos you're pulling from can inject something
> > into the data stream.
> >
> > 4. The only thing vulnerable to tampering from a MITM is your ssl
> > library, which probably gets a lot more scrutiny in general than your
> > package manager.
> Honeslty I wouldn't trust OpenSSL further than I can throw it. Would
> you?

I'd trust it more than the package manager.  What happens if you
insert a couple of terabytes of targeted data in the download stream?
Maybe something bad happens before the package manager even invokes
gpg to verify the signature.

Sure, OpenSSL has had problems, but I'd say it is way more secure than
most software, and most of the known vulnerabilities are the result of
intensive scrutiny.  And of course it isn't the only SSL
implementation around.

Plus when a bug in OpenSSL gets discovered it gets fixed.

And if OpenSSL has an issue then worst case you're leaking junk into
the package manager, which is another line of defense.  It becomes an
additional line of defense in this model, and not your only one.

> > Plus it checks all the IT security boxes.  We're talking about Redhat
> > here.  If your corporate IT security department gives you an option of
> > checking yes to "uses SSL?" or checking no and filling out half a page
> > of justification and getting approvals, I imagine the chief sysadmin
> > would prefer to just check the yes box...
> Back to cargo culting...

Sure, I agree that particular point is cargo culting, but if your
manager is a cargo culter you can either argue with him all day, or
just make him happy.  That provides no benefits other than social
ones, but it also doesn't cost you anything.  This isn't a compromise
in security for the sake of checking a box.  IMO it is improving
security, albeit in a fairly limited way.

The main thrust of my argument is that SSL doesn't hurt anything, and
generally helps a little, and costs almost nothing, so there is no
reason to avoid it.

But, sure, you're generally about as secure if you just verify gpg
signatures instead.  There is nothing wrong with that either.  I'm not
about to join a crusade on either side of this issue, but it seems
like a pretty silly thing to complain about...

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --