You are not logged in.
Pages: 1
As many of the Arch users know Pacman (and most updater programs) creates a notoriously vulnerability to the Domain Name Server (DNS) Man In The Middle (MITM) attack; if you don't know what this is see the second paragraph. I think that this problem REALLY needs a solution, so I propose: A single GnuPG http://www.gnupg.org/ key for the server, the server encrypts and signs the hashes for the packages to be downloaded using the server private key. The users have the server's signed public key so they can decrypt the message and check the signature to make sure its a trusted source. Now the user can download directly from the IP gathered while preforming the initial DNS request (So if the server has a low Time To Live (TTL) the MITM attack can't happen during the second request) and check against known "good" hash checksums. I've tried to identify some possible flaws with this system which include:
Statistical Analysis: I figure (even though I don't think its ever been done) with enough samples and decodes of a GPG encrypted message you could preform a statistical analysis and effectively procure a private key.
Multiple Server Problems: With all the different servers for each to have access to the private key would be insane, the private key should be used to lock data on the main (archlinux.org?) server and the rest can copy and update regularly (as they do now)
Increased Distro Size: It would be a slight increase to make room for the GPG command line program, but I don't think it would be too bad.
INSERT YOUR CRITIQUE HERE: I'm sure theres more and for the security of the community they should be discussed.
OK so this part is for those who don't understand the first paragraph. The DNS MTIM attack is sort of difficult to explain but after noting the confusion on my sister thread http://bbs.archlinux.org/viewtopic.php?id=35609&p=1 I decided it is a necessity. To begin:
DEFINITIONS:
DNS: Domain Name Server; the central hub of the Internet. It operates like a phone book if you will but with IP address instead of phone numbers and housing addresses, and domain names instead of the persons names (ie: google.com vs John Doe) you use it every time you connect to the Internet or lookup a host name
MITM attack: Man in the middle attack; generally considered to be a more difficult hack but doable all the same. The attack requires the hacker to be between the user and his target data.
WHAT HAPPENS?:
A hacker pretends to have the same IP as your DNS (or something more elegant) so, when you ask your DNS for the IP address of archlinux.org it returns the hacker's choice of address. More often then not the hacker would spy on your DNS requests and provide you with you normal Internet for a while. It is here that the hacker becomes a cracker, (a hacker with malicious intent) if he see you access archlinux.org (or one of the mirrors) once a week he can assume that you probably run Arch, use Pacman, have an I686 or x64 architecture. Now that he knows what mirror you use he can copy the server architecture from another server, bind the address of the mirror to his own server and effectively route all the traffic to that server. As Arch uses precompiled binaries in its updates etc. it would be phenomenally easy at this point to change the code of one of the updates to something malicious and have you download it and run it on your next update. Scary stuff eh?
SOURCES:
-WIKIPEDIA
-GOOGLE
-Dan Kaminsky: Director of penetration testing at IOActive
I suggest you read this power point, its a great synopsis of the problem and shows how recently this has been exposed.
http://www.doxpara.com/DMK_BO2K8.ppt
-Cory Doctorow's "Little Brother"
Its a great read.
http://craphound.com/littlebrother/download/
Countless Others
Offline
Patches welcome.
If someone actually wants to submit some patches for this, join the pacman-dev list and find out about the pgp branch where a good start has been made.
Offline
seems a little paranoid to me of course the possibility exists, but still... mhh
cheers Barde
Offline
seems a little paranoid to me of course the possibility exists, but still... mhh
cheers Barde
Well, if Arch becomes a more popular distro or base for other distros there is definitely an increased chance of an automated attack.
2 notes about the OP's argument:
Getting the DNS / sites a person is visiting is a lot easier than the OP makes it, it's only reverse DNS lookups on IPs or HTTP requests. (lots of reverse DNS lookups are a sign of packet sniffing, by the way)
Also, the "making a mirror" would take far too much work/bandwidth. I would rather make a quick script to unpackage one of the updates, include a rootkit, repack it, and inject it back into the wireless stream. Yes, to do this you would make your computer the middle man first when that site is requested (as already described) by acting as the DNS.
It's really not that hard to do and it would certainly make a big problem if Arch moved to "enterprise level" so there really is a need for it, although it isn't pressing at the moment.
Actually, that could make a really interesting Arch-only "worm" (for those with Atheros chipsets) that would spread upon updating.
Offline
will it like apt-get? it will be a little hard to use than now, but i think it is better.
Offline
I seem to recall seeing an initiative along these lines a year or two back, where it was proposed that the devs verity their identities to the central server and the central server verify it's identity for the clients. A sound plan, but no one would bother to code it, and the devs thought it was overkill. I tend to agree with them.
This isn't so much overkill, but I don't think it's as essential as the OP presents. An ISP with IP egress protection will stop something like this dead in its tracks.
Offline
I think gnuffy already implemented this idea. although their pacman version called spaceman is written in bash, maybe there is a possibility to take their ideas and sorta implement it in pacman. I would be happy to help in that direction, as long as I have someone to go to with problems with pacman's source. I tried to look at the source but i got stuck pretty fast -.-
the downside would be that we had another dependency for pacman (gnupg)
cheers Barde
Offline
This has already been mentioned (by me, specifically ), and I hear it's on the development to-do list:
http://bbs.archlinux.org/viewtopic.php?id=51570
http://bbs.archlinux.org/viewtopic.php? … 82#p333982
Offline
FWIW, pacman-G2 (used by Frugalware) already implements GPG signing.
Offline
Pages: 1