Updating is over insecure connection
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Relying on signatures is silly. It gives attackers much more control over a situation, and we already know that this *doesn't work* when weak signatures like MD5 are used (see Flame hash collision). Is the average user going to get attacked this way, with a collision? Maybe not. But Ubuntu servers are going to get targeted, and updating over HTTP just doesn't make sense.
Flame may have been a government attack aimed at other governments, but users were infected. They were attacked to get to the government systems. So whether you're a server or a high value target or whatever, there are people who will try to exploit this system. Preventing this is as simple as properly implementing HTTPS and encouraging third party developers to do the same with their packages..
https:/
https:/
HTTPS with HSTS in particular will prevent:
1) An attacker from viewing traffic that can give them information as to the attack surface on a system. They can see which applications are at which versions, and how often the system is updating.
2) It means that if the signing key is compromised the attacker can install their own updates via MITM.
HTTPS prevents this.
Is there any solid reason why updates are still over an insecure connection? Microsoft has updated over a secure connection for a year now.
The equivalent for the initial Ubuntu download is bug 1359836.
This bug was featured on HTTP Shaming. <http://
Changed in ubuntu: | |
status: | Expired → Confirmed |
Status changed to 'Confirmed' because the bug affects multiple users.