| Rich Freeman via plug on 20 Sep 2019 12:18:27 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] The lock down?! Uhh.. why? |
On Fri, Sep 20, 2019 at 3:00 PM Drew DeVault via plug <plug@lists.phillylinux.org> wrote: > > > 2. The connection is harder to tamper with in general. > > Not important if the packages are signed. Great, you get a package that doesn't verify. That helps you avoid installing a bad package, but it doesn't help you install a good one. > > 3. Nobody can feed junk into your connection, which means that if your > > package manager has some kind of input-sanitization issue you're less > > vulnerable since only repos you're pulling from can inject something > > into the data stream. > > > > 4. The only thing vulnerable to tampering from a MITM is your ssl > > library, which probably gets a lot more scrutiny in general than your > > package manager. > > Honeslty I wouldn't trust OpenSSL further than I can throw it. Would > you? I'd trust it more than the package manager. What happens if you insert a couple of terabytes of targeted data in the download stream? Maybe something bad happens before the package manager even invokes gpg to verify the signature. Sure, OpenSSL has had problems, but I'd say it is way more secure than most software, and most of the known vulnerabilities are the result of intensive scrutiny. And of course it isn't the only SSL implementation around. Plus when a bug in OpenSSL gets discovered it gets fixed. And if OpenSSL has an issue then worst case you're leaking junk into the package manager, which is another line of defense. It becomes an additional line of defense in this model, and not your only one. > > Plus it checks all the IT security boxes. We're talking about Redhat > > here. If your corporate IT security department gives you an option of > > checking yes to "uses SSL?" or checking no and filling out half a page > > of justification and getting approvals, I imagine the chief sysadmin > > would prefer to just check the yes box... > > Back to cargo culting... Sure, I agree that particular point is cargo culting, but if your manager is a cargo culter you can either argue with him all day, or just make him happy. That provides no benefits other than social ones, but it also doesn't cost you anything. This isn't a compromise in security for the sake of checking a box. IMO it is improving security, albeit in a fairly limited way. The main thrust of my argument is that SSL doesn't hurt anything, and generally helps a little, and costs almost nothing, so there is no reason to avoid it. But, sure, you're generally about as secure if you just verify gpg signatures instead. There is nothing wrong with that either. I'm not about to join a crusade on either side of this issue, but it seems like a pretty silly thing to complain about... -- Rich ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug