Re: [Discussion] Privacy and security for IPFire updates

[Matthias Fischer <matthias.fischer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 5396 bytes --]

Hi,

I'm more hardware oriented, so I'm not so familiar with this kind of
security structures, but...

On 10.04.2018 19:15, Peter Müller wrote:
> Hello,
> 
> a few days ago, I had a discussion with Michael about
> privacy and security for IPFire updates (we mainly
> focused on IPFire 3.x, but some points might be
> applicable to 2.x, too).
> 
> In order to get some more opinions about this, I would
> like to mention the main points here and ask for comments.
> Forgive me if you receive this mail twice; I'll post
> it on both development and mirror list.
> 
> (a) Security
> Whenever you are updating an application or an entire
> operating systems, security is the most important
> aspect: An attacker must not be able to manipulate update
> packages, or fake information about the current patchlevel,
> or something similar.
> 
> In the past, we saw several incidents here - perhaps
> the most famous one was "Flame" (also known as "Flamer" or
> "Skywiper"), a sophisticated malware which was detected
> in Q1/2012 and spread via Windows Updates with a valid
> signature - and it turned out that strong cryptography
> is a very good way to be more robust here.
> 
> In IPFire 2.x, we recently switched from SHA1 to SHA512
> for the Pakfire signatures, and plan to change the signing
> key (which is currently a 1024-bit-DSA one) with Core
> Update 121 to a more secure one.
> 
> So far, so good.
> 
> Speaking about IPFire 3.x, we plan to download updates
> over HTTPS only (see below why). However, there are still
> a few questions left:
> (i) Should we sign the mirror list?
> In 3.x, using a custom mirror (i.e. in a company network) will
> be possible. If not specified, we use the public mirror
> infrastructure; a list of all servers and paths will
> be published as it already is today.
> 
> In my opinion, we should sign that list, too, to prevent
> an attacker from inserting his/her mirror silently. On
> the other hand, packages are sill signed, so a manipulation
> here would not be possible (and we do not have to trust our
> mirrors), but an attacker might still gather some metadata.
> 
> [The mirror list can be viewed at https://mirrors.ipfire.org/,
> if anyone is interested.]

Jm2c:
Sounds reasonable. Agreed. Mirrors should be as secure as possible. Yes.

> (ii) Should we introduce signers?
> A package built for IPFire 3.x will be signed at the builder
> using a custom key for each machine. Since malicious activity
> might took place during the build, the key might became
> compromised.
> 
> Some Linux distributions are using dedicated signers, which
> are only signing data but never unpack or execute them. That
> way, we could also move the signing keys to a HSM (example:
> https://www.nitrokey.com/) and run the server at a secure
> location (not in a public data centre).

Being more on the hardware side, I must confess, I don't know what the
main consequences would be. No firm opinion...

> 
> (b) Privacy
> Fetching updates typically leaks a lot of information (such
> as your current patch level, or systems architecture, or
> IP address). By using HTTPS only, we avoid information leaks
> to eavesdroppers, which I consider a security benefit, too.

ACK.

> However, a mirror operator still has access to those information.
> Perhaps the IP address is the most critical one, since it
> allows tracing a system back to a city/country, or even to
> an organisation.
> 
> Because of that, I do consider mirrors to be somewhat critical,
> and would like to see the list singed in 3.x, too.

ACK.

> (i) Should we introduce mirror servers in the Tor network?
> One way to solve this problem is to download updates via a
> proxy, or an anonymisation network. In most cases, Tor fits
> the bill.
> 
> For best privacy, some mirror servers could be operated as
> so-called "hidden services", so traffic won't even leave the
> Tor network and pass some exit nodes. (Debian runs several
> services that way, including package mirrors: https://onion.debian.org/ .)
> 
> Since Tor is considered bad traffic in some corporate network
> (or even states), this technique should be disabled by
> default.
> 
> What are your opinions here?

I never used Tor and don't plan to use it in the future, so I can't say
much about this.

> (ii) Reducing update connections to anybody else
> Some resources (GeoIP database, IDS rulesets, proxy blacklists)
> are currently not fetched via the IPFire mirrors, causing
> some of the problems mentioned above.
> 
> For example, to fetch the GeoIP database, all systems sooner
> or later connect to "geolite.maxmind.com", so we can assume
> they see a lot of IP addresses IPFire systems are located behind. :-\
> Michael and I are currently working on a replacement for
> this, called "libloc", but that is a different topic.
> 
> Pushing all these resources into packages (if they are
> free, of course) and deliver them over our own mirrors would
> reduce some traffic to third party servers here. For libloc,
> we plan to do so.
> 
> Should we do this for other resources such as rulesets and
> blacklists, too?

Same as above: I don't know what the main consequences would be and how
'libloc' really works. But it sounds reasonable. Yes.

> Looking forward to read your comments.

Since you didnt' get much answers until now, I hope this one helps a
bit... ;-)

> Thanks, and best regards,
> Peter Müller
> 

Best,
Matthias