Bug 1110245

Summary: Connection to online repositories should be HTTPS
Product: [openSUSE] openSUSE Tumbleweed Reporter: Gregory Kochurov <digitalmon>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED WONTFIX QA Contact:
Severity: Enhancement    
Priority: P5 - None CC: arbichev, astieger, i
Version: Current   
Target Milestone: Current   
Hardware: All   
OS: All   
Whiteboard:
Found By: Community User Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Gregory Kochurov 2018-09-30 08:06:41 UTC 
Although the online repository servers support HTTPS connection, downloading of packets still occurs via the HTTP protocol. This compromises the security of users. If their connection to the Internet is intercepted, if they work through any proxy server, the attackers can modify the packages on the fly during the download. To install malware and spyware into target system.

At the moment, you can only manually change the URLs of the repositories to https so that the packets are downloaded over a secure channel. I want that by default in the operating system the connection to the online-repositories, the downloading of packets, should be with HTTPS connection.

This will make users' safety a step higher. I'm sure there will be less glitches, bugs in user systems.

But Https is not a panacea. She is also vulnerable to the attack of MITM. The private surveilance service known to me, generates its own RSA-keys to encrypt the HTTPS, brute-force for them a digital signature so that the browser of user does not suspect forgery. The attacker's computer connects to the remote server by https, downloads packages, replaces executable files, infects them with a virus, and the user gives https traffic with his encryption key and a digital signature. But such an attack is not for everyone. To make it more difficult, you need to use long encryption keys and digital signatures on the repository servers. RSA4096 at least.

I know that even LTE-connection to the Internet can be intercepted with using of special technical means and OpenLTE, so I do not trust to LTE. LTE-connection can work without encryption, and 3G connection seems to be always encrypted.
A wired connection to the Internet, to intercept - generally easy. As PPPoe, as  DHCP (DHCP is without authorization and verification of provider access point).

The 3G modem with a good antenna has the same speed as the LTE.
Comment 1 Andreas Stieger 2018-09-30 08:45:28 UTC 
From the SUSE Security team:

(In reply to Gregory Kochurov from comment #0)
> This compromises the security of users.

No it does not. Repository metadata and packages are signed. This is actually a higher security level than TLS's "any CA" approach. For package delivery, integrity is the most important element and well covered. Confidentiality is less important for this type of transfer.

> If their connection to the Internet is intercepted, if they work
> through any proxy server, the attackers can modify the packages on the fly
> during the download. To install malware and spyware into target system.

Again not true. The user receive a signature verification error, or will have to accept unknown repository signing keys, or disable signature verification altogether.

> This will make users' safety a step higher. I'm sure there will be less
> glitches, bugs in user systems.

As per the above, using https will actually create a false sense of security, and it cannot replace repository metadata and signature verification. Also see bug 1107994 for things that can happen.

So all in all, for the openSUSE mirror redirection infrastructure, we cannot switch to HTTPS by default at this time, and consider repository and package signature a better security guarantee due to the implicit pinning to a specific key
Comment 2 Yunhe Guo 2020-09-26 09:15:43 UTC 
Even in 2020, ISPs are still caching HTTP data in a very bad way. If ISPs send you out-dated repo data, you will get errors when running zypper up...

This happens quite often in China. I have to answer the same kind of questions every month and ask people to switch to HTTPS. Most users just blame openSUSE for "bad download server" but it is because of the ISP...

I agree with Andreas Stieger that HTTPS doesn't bring extra security benefits. But it can definitely prevent ISPs downgrade our user experience...

We must certainly keep GPG signatures for security and mirror verification. But we can also enforce HTTPS to avoid unnecessary errors.
Comment 3 Andreas Stieger 2022-11-15 12:45:08 UTC 
*** Bug 1205431 has been marked as a duplicate of this bug. ***