In Rasberry Pi's spirit of education, and the intended audience of Linux technology newbies, I will start off by giving a very brief introduction into internet security. And we should all see ourselves as learners. Living is learning. The expert mind sees very few possibilities while the beginner's mind sees many.
Let's start with some security basics.
Linux is an open source operating system, and most of the software is open source. That means you don't have to trust the author of the software, with what they're doing with your computer. Whether they're spying on you, (capturing your keystrokes, recording videos, sound of you or sending your files back to them) or using your hardware for their nefarious purposes (hacking, botnets, DDOS attacks, etc), because you can review the source code yourself.
So as long as you can read and understand the source code, you don't need to trust the authors.
But reading source code and compiling everything manually is time consuming.
You might for example trust the package maintainers for Debian or Raspbian.
APT is a package system designed to facillitate the secure distribution of pre-compiled package binaries.
You can download binaries (non-human readable code, for your computer to run) from people you have decided to trust.
APT uses GPG keys. Public key encryption. The package author has created a keypair for themself. They make their public key available to you.
When you have the package author's public key, you can confirm that the package you have received, has come from them, unaltered because they have signed it with their private key. (and you hope that their private key has not been stolen by an attacker)
APT allows for efficient distribution of packages. Instead of millions of users always updating and downloading their package lists from 1 Debian server etc (and overloading it) the packages are mirrored around the world. They are hosted for low cost, served over insecure HTTP connections. After your apt-get downloads a package from an insecure HTTP connection to any mirror or even the main archive, it checks the packages against the public key.
This means even if the server you download packages from is been hacked, and an attacker has provided fake/compromised/infected packages on that server for you to download, you're OK because apt-get will see that they're not signed by the author.
This trust is based on the assumption that you have the author's real private key, and that their private key has not been compromised and that the author's computer has not been compromised. Hopefully the author's computer is secure, they encrypt their data, use strong passwords and use secure software.
Even if someone does a man-in-the-middle attack on your HTTP connection while you do an apt-get update, or an apt-get install, apt-get will notice that the information you've received has not been signed correctly.
So APT, when used as it's designed, is secure.
Now that you're familiar with APT's security features, let's have a look at HTTP and HTTPS
HTTP is the internet protocol for serving web pages. It was invented long ago and it is completely vulnerable to man-in-the-middle attacks.
Your TCP connection to a server, might jump between 50 servers along the way. A man in the middle attack can be performed at any one of those 50 servers or on the links between them.
The data can be changed. You might go to http://mybank.com and an attacker serves up a fake copy of your bank's website grabs requests your password. Bye bye money.
There are 3 massive security problems with HTTP
1. Privacy: Anyone in the middle can read your communications (they can see your password, your bank balance, and other financial information)
2. Validity: The data can be changed in transit (man-in-the-middle-attack) (you might try to pay bank account number 123, and the attacker changes the beneficiary account number to 456, or the attacker steals your money, and shows you a fake balance, etc)
3. Authenticity: You have no way of knowing if the data you receive (the website, or file) comes from the server/company/person you're actually trying to communicate with.
HTTPS like APT, solves this problem with public key encryption.
When you try to go to http://mybank.com mybank sends you a HTTP 301 response "Moved permanently" and a Location header, telling your web browser to go to https://mybank.com
Your web browser will automatically go to https://mybank.com and establish a SSL connection (tunnel) for the HTTP data to flow through.
1. Nobody can see any of the information you're sending to the bank, or what they're sending you.
2. Nobody can change any of the contents (that they can't even read) because your web-browser will detect that the data is invalid.
3. You know that the server you're trying to communicate with IS the author of the information you have received, because it has signed the information using it's private key.
Very similar to APT. Problem solved, right?
Well yes, encryption works if you use it properly, otherwise it's worthless.
Most of the Raspberry pi repositories have completely undermined APT security, and thus, every Raspberry Pi is insecure
This is a bold claim. As far as I can tell, it is true. Please investigate for yourself.
I first discovered the problem when I went to this page
Raspbian.org suggests this completely insecure command
wget http://archive.raspbian.org/raspbian.public.key -O - | sudo apt-key add -
They want your Raspberry Pi to trust a public key, that they're going to send you, using absolutely no security of any kind.
That public key, that supposedly comes from archive.raspbian.org and bounces through many many servers and network links before it gets to you, could be changed many times... and your computer wouldn't have the faintest idea.
So Raspbian.org has just BROKEN APT SECURITY, completely.
You know, it wouldn't be so bad... if it was some random user on a forum suggesting to use insecure http:// to get a public key. (as they do, because most of the time, it's the only mechanism available)
But the fact that Raspbian.org! is giving this insecure advice is shocking!
This is how it's supposed to happen if someone foolishly makes a HTTP request for a public key (just like the bank example)
1. You request http://[/b]archive.raspbian.org/raspbian.public.key
2. archive.raspbian.org responds with 301 Moved permanently. then redirects you to make a HTTPS connection. or better "400 Bad Request" so you can realize your mistake!
3. you connect to https://archive.raspbian.org/raspbian.public.key and receive the a public key that you can trust has not been changed, and is authentic, given to you by archive.raspbian.org.
I did this, but I can't recommend you do it. You will see why...
"Great, now we will add trustworthy GPG keys" I thought... right? well no, because they're NOT AVAILABLE!apt-key list #now you will see all your GPG keys
#don't run these commands, unless you know what you're doing
apt-key del 'Mike Thompson (Raspberry Pi Debian armhf ARMv6+VFP) <email@example.com>'
apt-key del 'Raspberry Pi Archive Signing Key'
apt-key del 'Collabora Raspbian Archive Signing Key <firstname.lastname@example.org>'
apt-key del 'Wolfram Research, Inc. (WolframEngine Raspbery Pi signing key) <email@example.com>'
Not only is correct security practise not followed. Secure public keys are not even frikkin available!
Even though https://www.raspbian.org/RaspbianRepository tells you to run an insecure command... you can make it secure by adding an 's'
wget https://archive.raspbian.org/raspbian.public.key -O - | sudo apt-key add -
This means that every novice user will be fooled into making their Raspberry Pi insecure.
* None of their data may be considered private/secure (passwords, financial records, intellectual property, whatever)
* They could be robbed (see above point)
* Their computer may be used for destructive/nefarious purposes.
But it gets even worse.
Even people who are familiar with the security basics discussed in this forum post are currently unable (as far as I can tell) to securely obtain Rasberry Pi GPG keys.
The Rasberry Pi authors have undermined APT security to such an extent, which makes me question, and even if they now start to behave responsibly with regards to security whether they should even be trusted.
Because it seems that they are either not trustworthy at all, or completely incompetent. Neither of these qualities are very assuring in terms of me wanting to have such a device on my network or trust it with my data.
everyone can try these commands
This is a sad sad state of affairs. Raspberry Pi is a fundamentally insecure operating system.cd /tmp
#okay great, that worked, so non-novice users can obtain the GPG key securely.
#archive.rasberrypi.org does not even SSL functional!!! Nevermind ALLOWING GPG keys to be downloaded insecurely. They ONLY serve GPG keys insecurely!
#the repository.wolfram.com server does not even have an SSL HTTP server installed at all.
If you found this interesting, you may find this TED talk and links interesting
TED Talk: Edward Snowden: Here's how we take back the Internet
NSA Intercepts Internet Devices, Implants "Backdoor" - Leaked Document
Debian bugdoored by NSA
If you try the wget commands I've listed above, your comments would be helpful to back-up what I'm saying (GPG keys are served over HTTP and are not available over a HTTPS connection), so that they can not quickly fix these issues and then try deny it.
The only way Rasberry Pi and Raspbian, wolfram etc can redeem themselves (in my opinion) is to do the following
1. Acknowledge that they were using very bad security practices and apologize.
2. Deny all HTTP requests for GPG keys with either 301 Moved Permanently or 400 Bad Request.
3. Make GPG keys available via HTTPS
4. Make some kind of statement about their security practices so that we can have some kind of trust that their private keys are secure.
5. Take security more seriously in general.
There is no excuse for Rasberry Pi to completely fail at security as an OS thinking Rasberry Pi is just a toy.
1. RasberryPi has many industrial customers
2. If security has been weakened so that the NSA can exploit it, as Edward Snowden says, then anyone who is determined enough will find the same exploits and exploit it for their own purposes, any government around the world, hackers, etc.
3. Raspberry Pi is used by many people all over the world for all kinds of things, and they would like to be able to trust the Rasberry Pi with their data and trust it to be on their network etc.
4. Students using Rasberry Pi as a learning tool should be learning basic security practices.
Security is no an optional nice-to-have.
Encryption is not only for terrorists.
Security is a basic requirement for computers and anyone using them.