Attacks against GPG signed APT repositories (opens in new tab)

(blog.packagecloud.io)

12 pointsjcapote8y ago13 comments

13 comments

This is such a frustrating clickbait headline!

Most of the 'attack' s are:

1. Plain old bugs in apt. 2. Involve disabling the very security features (GPG and checksum verification) designed to prevent that attack!

jdamato8y ago

Hi!

I'm the author of the article. We never suggest turning off GPG and checksum verification.

The bugs may be in APT, but they allow several attack vectors against APT, as explained throughout. Let me know if you have any specific questions and I'd be happy to help clear things up!

rlpb8y ago

Additionally the article appears to intentionally conflate "issues" such as "if you turn security off" or "if the repository isn't signed" to make their list of possible issues look bigger. None of these are "Attacks against GPG signed APT repositories".

jdamato8y ago

We never suggest that you turn security off -- several versions of APT come with various settings defaulted to off, as described in the article.

All of the attacks presented (replay attacks, freeze attacks, and downgrade attacks) affect GPG signed APT repositories.

codedokode8y ago

What about replay attack? Providing apt with old metadata and packages?

2 more replies

parliament328y ago

The main recommendation is "always serve your apt repo over TLS", however, apt doesn't use TLS by design: https://whydoesaptnotusehttps.com/

jdamato8y ago

The website you linked to has several factual errors, as explained in the article.

jwilk8y ago

--force-yes is bad, but for reasons that have nothing to do with replay attacks.

This option effectively disables package authentication. This is because it forces "yes" answer to all questions, including the question about installing unauthenticated packages.

jwilk8y ago

For a moment I thought there's a new research paper about attacks on APT. Nope. The paper the article links to is from 2008.

jdamato8y ago

Yep, and the information is still relevant! The article explains how it applies to recent versions of APT in the current Ubuntu LTS releases.

j / k navigate · click thread line to collapse

13 comments

whacker8y ago

This is such a frustrating clickbait headline!

Most of the 'attack' s are:

1. Plain old bugs in apt. 2. Involve disabling the very security features (GPG and checksum verification) designed to prevent that attack!

jdamato8y ago

Hi!

I'm the author of the article. We never suggest turning off GPG and checksum verification.

The bugs may be in APT, but they allow several attack vectors against APT, as explained throughout. Let me know if you have any specific questions and I'd be happy to help clear things up!

rlpb8y ago

jdamato8y ago

We never suggest that you turn security off -- several versions of APT come with various settings defaulted to off, as described in the article.

All of the attacks presented (replay attacks, freeze attacks, and downgrade attacks) affect GPG signed APT repositories.

codedokode8y ago

What about replay attack? Providing apt with old metadata and packages?

2 more replies

parliament328y ago

The main recommendation is "always serve your apt repo over TLS", however, apt doesn't use TLS by design: https://whydoesaptnotusehttps.com/

jdamato8y ago

The website you linked to has several factual errors, as explained in the article.

jwilk8y ago

--force-yes is bad, but for reasons that have nothing to do with replay attacks.

This option effectively disables package authentication. This is because it forces "yes" answer to all questions, including the question about installing unauthenticated packages.

jwilk8y ago

For a moment I thought there's a new research paper about attacks on APT. Nope. The paper the article links to is from 2008.

jdamato8y ago

Yep, and the information is still relevant! The article explains how it applies to recent versions of APT in the current Ubuntu LTS releases.

j / k navigate · click thread line to collapse