diederik
Posts: 393
Joined: Wed Mar 26, 2014 11:17 pm

Re: Rasbian is a completely INSECURE operating system

Sat May 09, 2015 10:19 pm

ShiftPlusOne wrote:I think the best we can do for now is put an alert in raspi-config letting the user know what their network is not secure until they change the password and/or disable ssh.
Just to make clear (to others) SSH is secure!
But not changing the default password is a big security risk and I think it would be a good idea to alert ppl to that in raspi-config or otherwise.

ShiftPlusOne
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 6229
Joined: Fri Jul 29, 2011 5:36 pm
Location: The unfashionable end of the western spiral arm of the Galaxy

Re: Rasbian is a completely INSECURE operating system

Sat May 09, 2015 10:25 pm

Yes, sorry if that was unclear.

User avatar
pi-anazazi
Posts: 716
Joined: Fri Feb 13, 2015 9:22 pm
Location: EU

Re: Rasbian is a completely INSECURE operating system

Sun May 10, 2015 3:49 pm

"Sl wrote:
can we *please* have the possibility to use https
in the apt sources.list for archive.raspberrypi.org ?!"

Argument: It's 2015 and we all know that http is f*cked up on gigantic scale by package injection from script kiddies up to the NSA. Yes, I know cerificates are f*cked up on very high level as well, but anyway.

Repositories with https MUST be state-of-the-art in year 2015 and Pi has earned enough money to make that happen. It is an educational project and here it is teaching VERY bad standards. Fullstop.
Kind regards

anazazi

gkreidl
Posts: 6325
Joined: Thu Jan 26, 2012 1:07 pm
Location: Germany

Re: Rasbian is a completely INSECURE operating system

Sun May 10, 2015 4:33 pm

pi-anazazi wrote:"Sl wrote:
can we *please* have the possibility to use https
in the apt sources.list for archive.raspberrypi.org ?!"

Argument: It's 2015 and we all know that http is f*cked up on gigantic scale by package injection from script kiddies up to the NSA. Yes, I know cerificates are f*cked up on very high level as well, but anyway.

Repositories with https MUST be state-of-the-art in year 2015 and Pi has earned enough money to make that happen. It is an educational project and here it is teaching VERY bad standards. Fullstop.
Are you using google, facebook and twitter? Do you use a smartphone or tablet? Then you're really f*cked up.
Minimal Kiosk Browser (kweb)
Slim, fast webkit browser with support for audio+video+playlists+youtube+pdf+download
Optional fullscreen kiosk mode and command interface for embedded applications
Includes omxplayerGUI, an X front end for omxplayer

Sleep Mode zZ
Posts: 319
Joined: Sun Aug 19, 2012 5:56 am
Location: Finland

Re: Rasbian is a completely INSECURE operating system

Sun May 10, 2015 4:37 pm

pi-anazazi wrote:"Sl wrote:
can we *please* have the possibility to use https
in the apt sources.list for archive.raspberrypi.org ?!"

Argument: It's 2015 and we all know that http is f*cked up on gigantic scale by package injection from script kiddies up to the NSA. Yes, I know cerificates are f*cked up on very high level as well, but anyway.

Repositories with https MUST be state-of-the-art in year 2015 and Pi has earned enough money to make that happen. It is an educational project and here it is teaching VERY bad standards. Fullstop.
Do you mean /etc/apt/sources.list? Not only Debian but also Ubuntu is using http-addresses in that file. How is it that the engineers at Canonical or Debian have not understood this as real security threat? Their OS's runs on tens of millions machines, of which many are servers.

What "state-of-the-art" distributions are using https-addresses in their apt sources.list?

How would a script kiddie take advantage of this lax security on tens of millions of computers and mess with their packages?
Last edited by Sleep Mode zZ on Sun May 10, 2015 7:31 pm, edited 1 time in total.

peat_psuwit
Posts: 6
Joined: Sun May 10, 2015 5:50 pm

Re: Rasbian is a completely INSECURE operating system

Sun May 10, 2015 7:15 pm

Well, the point of this thread is to show that the distribution of keys over HTTP is a bad idea because it can be attacked via MTTM.
But how one might get keys on one's pi:
  1. Manually download key and put that into apt-key.
  2. As part of disk image distribution.
For the security-paranoid people, here's how to mitigate the risk:
  • To get the keys manually securely, one can get keys via HTTPS, as it's recently added.
  • To ensure integrity of the keys inside disk image, one can check SHA-1 of the image (which is distributed over HTTPS).
But for average user who don't care this, how much the risk is, exactly?
  • For getting the keys manually, user probably don't do that. That is, except the user is under MITM already. The story is:
    • User runs "apt-get update". Apt complains that the key don't match.
    • User then finds out how to solve the problem on the Google and probably uses the first solution. That solution contains instruction to get the keys via HTTP.
    • User then follows that instruction without thinking twice. Bingo! The machine is exploited!
  • For getting the disk image, this happens more frequently. One might download bad image over HTTP and flash that into SD card if one is under MITM.
But in either way, the user must be under MITM after that, too. So, the user have to be under MITM beforehand and long after that. How much is the risk for pi user to be under MITM?
Seriously, one probably update one's pi or download pi's image at coffee shop, right? User probably do that at home, and home network is probably trustworthy. That is, except that the user is the target. One would do anything to attack the user. And even with every trick for security-paranoid people, that user won't survive the surveillance. As blachanc has stated:
if at one point I become the target of a gov or an agency or hacker team like anonymous, I am cooked. No security at the system level will protect me
So, rest assure, the risk is low for most of people. For those whose risk is high, protect yourself accordingly.

User avatar
cyrano
Posts: 714
Joined: Wed Dec 05, 2012 11:48 pm
Location: Belgium

Re: Rasbian is a completely INSECURE operating system

Mon May 11, 2015 12:50 am

So, this is a device that pretends to be educational, but basic security shouldn't be part of this education?

I think I can see the internet collapsing in a few years if this mindset doesn't change drastically. Software is getting more complex and has more and more bugs to exploit. There aren't even enough "eyes" to audit open source software and non-open software isn't secure either.

If we don't start seeing security as something everyone should be aware of and teaching basic security principles from the very beginning, the net will be owned by totalitarian governments and the maffia. And I'm not sure which ones of those I would prefer to have as my master...

ShiftPlusOne
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 6229
Joined: Fri Jul 29, 2011 5:36 pm
Location: The unfashionable end of the western spiral arm of the Galaxy

Re: Rasbian is a completely INSECURE operating system

Mon May 11, 2015 1:43 am

It sounds like a handful of people have learned a little about SSL and are now security experts on a crusade.

There are two main reasons to use SSL:
1) Encryption
2) Verification

So, we can ignore point 1, because there are no passwords sent and if you're worrying about people seeing that you're downloading sonic pi then... I don't even.
Point 2 is valid, but is already addressed by the fact that package lists are signed and contain the checksum of everything and apt checks all of that for you.

Then the question becomes about the signing key. Okay, how does that key end up on your pi? It either comes pre-installed on an image, is downloaded using something like wget or is requested from a key server. Okay, we're getting somewhere. The only way to verify the image is to use the checksum, since the download isn't provided of https. That could be a problem, since... who does that? If people download the key, it's up to them where they get it from. You can get it over http or https, whichever suits you best.

Okay, so there are some valid concerns there, but none of them seem to come back to needing SSL for the repo. Not everything needs SSL!

The argument that it's another layer of the security onion is good. But not when the onion is being sliced in half by a user willing to override security features and paste commands from the internet without understanding them. That's a problem, but not one that's solved by https.

User avatar
cyrano
Posts: 714
Joined: Wed Dec 05, 2012 11:48 pm
Location: Belgium

Re: Rasbian is a completely INSECURE operating system

Mon May 11, 2015 3:02 am

It's NOT about SSL an sich. It's about teaching procedure. A lot of people who are CSI majors haven't got a clue about security procedures.

That's why f.i. input filtering is still not in place in most products. That alone accounts for the majority of exploits floating around. And if you couple an exploit with an incentive (there's money to steal, or passwords fi), someone, somewhere will exploit it sooner or later.

And if we don't start NOW teaching them about procedure, they will continue to deliver products that are full of holes. It's high time, because soon no one will be able to oversee all these different products that run on an average server.

It's just a chance to shine and to secure the future. Businesses will not be doing the teaching, since there is no ROI on investment. I'd like the RPi to be better than all these other SBC creators.

It's not about making a priority about securing the Raspberry download server, but avoiding this discussion because it is simply procedure to be secure.

Maybe I'm too pessimistic about the future of online security, but my opinion is strengthened by a recent scientific report that concluded that it will not get better for two reasons: complexity of code and mentality. Most people in this thread are an example of this mentality. Why put in any effort, it will never be secure.

I don't fear the NSA, but I've been hacked by a crew that had really bad intentions. They kept a low profile, while preparing to use my servers for a DOS attack. At the same time, they were selling DDOS protection to unknowing cutomers. And that's a business model that is becoming mainstream fast.

And maybe, just maybe, once we have mostly secure software, we can start educating the user. I hear the argument "nothing is safe" too often from users when I point out they shouldn't use "123" as a password.

diederik
Posts: 393
Joined: Wed Mar 26, 2014 11:17 pm

Re: Rasbian is a completely INSECURE operating system

Mon May 11, 2015 1:14 pm

cyrano wrote:Most people in this thread are an example of this mentality. Why put in any effort, it will never be secure.
No, 'most people in this thread' realize that putting the archive under https does not solve the problem others are (apparently) seeing ... because that problem doesn't exist :!:

If you're talking about (proper) procedure, then you should do a risk analyses and then take actions to mitigate the risks identified.
So, tell me/us what problem would putting the archive under https solve?

User avatar
pi-anazazi
Posts: 716
Joined: Fri Feb 13, 2015 9:22 pm
Location: EU

Re: Rasbian is a completely INSECURE operating system

Mon May 11, 2015 1:16 pm

Are you using google, facebook and twitter? Do you use a smartphone or tablet? Then you're really f*cked up.[/quote]

None of these I use...
Kind regards

anazazi

User avatar
pi-anazazi
Posts: 716
Joined: Fri Feb 13, 2015 9:22 pm
Location: EU

Re: Rasbian is a completely INSECURE operating system

Mon May 11, 2015 1:23 pm

https?

At opensuse I would asume it, for pfSense it is a fact.

Wake up.

Checksum: I do it. But if it's not coming via an alternative, trustworthy source, e.g. via a signed eMail or at least in a public post, what should prevent makingup the hash value by package injection, if you can modify the package the same way.

Read about the capabilities of the NSA and trust that they are (by far) not the only ones with these capabilities.

Security expert on the current state of cybersecurity and the state of surveilance: "We are playing checkers, they are playing chess". And it will stay this way for years to come, as the so-called experts don't even see a problem.

cheers
Kind regards

anazazi

diederik
Posts: 393
Joined: Wed Mar 26, 2014 11:17 pm

Re: Rasbian is a completely INSECURE operating system

Mon May 11, 2015 2:00 pm

pi-anazazi wrote:Checksum: I do it. But if it's not coming via an alternative, trustworthy source, e.g. via a signed eMail or at least in a public post, what should prevent makingup the hash value by package injection, if you can modify the package the same way.
Checksum: apt does it for you using gpg(v).
The package list is signed with raspberrypi's key, which can now be obtained through https (and that was the only real problem there was, but that is now fixed).
That package list contains all the checksums of the packages. If any of those checksums is changed (or anything else in the package list), the verification of the package list will fail and APT will complain loudly about it and refuse to continue.
When an individual package is changed, then it's checksum will change and thus will not match the checksum in the package list and APT will complain loudly again and refuse to continue.

So I really don't see what putting the archive under https would solve here ...

Heater
Posts: 15944
Joined: Tue Jul 17, 2012 3:02 pm

Re: Rasbian is a completely INSECURE operating system

Mon May 11, 2015 2:07 pm

As far as I can tell if I can connect to the Raspian download site using https then I am about as secure as is currently possible.

The download site is of course https://www.raspberrypi.org/ so we are doing well there.

That of course assumes I trust the Raspberry Pi Foundation and the Raspian developers and the upstream Debian developers and the upstream project developers :)

Assuming I do trust all that then I have a hash of the Raspbian image to check against. Last time I checked it was wrong (had not been updated for a new image version). I commented on that here and it was soon fixed.

Given the hash I don't actually need the image to be delivered by https. I could fetch it from anywhere and verify it is correct.

Now, here is todays problem with the current situation: My Chrome browser, Version 42.0.2311.135 (64-bit) on Debian, does not accept that https:/raspberrypi.org has been identified because they are using "outdated security settings". See attached image.
Attachments
raspberrypi.org.png
raspberrypi.org.png (50.49 KiB) Viewed 2560 times
Memory in C++ is a leaky abstraction .

Sleep Mode zZ
Posts: 319
Joined: Sun Aug 19, 2012 5:56 am
Location: Finland

Re: Rasbian is a completely INSECURE operating system

Mon May 11, 2015 2:12 pm

pi-anazazi wrote:https?

At opensuse I would asume it, for pfSense it is a fact.

Wake up.
OpenSUSE does not use apt. Debian and Ubuntu, and probably Mint, use apt and have http-addresses in their sources list. If you know better than them what is secure, you should take up the argument with Debian and not here. In your view, there are tens of millions Debian based systems open for exploitation. Lots of servers among them. Hack into a few of them and I'm sure the people responsible will listen. Or rather don't, but explain in detail how you would attack them. You most probably can't. And not explanations where the gist is: "I know there is a belt and I can't find any problem with it, but what if it fails, would not it be best to have suspenders also?"

You could also make your own security oriented distribution for the Pi.
pi-anazazi wrote:Checksum: I do it. But if it's not coming via an alternative, trustworthy source, e.g. via a signed eMail or at least in a public post, what should prevent makingup the hash value by package injection, if you can modify the package the same way.

Read about the capabilities of the NSA and trust that they are (by far) not the only ones with these capabilities.
What certificates will your browser or wget accept? How do you know that you can trust them? Certainly they will keep small fry from prying your traffic. NSA? Probably not.

Sleep Mode zZ
Posts: 319
Joined: Sun Aug 19, 2012 5:56 am
Location: Finland

Re: Rasbian is a completely INSECURE operating system

Mon May 11, 2015 2:23 pm

Heater wrote:
Now, here is todays problem with the current situation: My Chrome browser, Version 42.0.2311.135 (64-bit) on Debian, does not accept that https:/raspberrypi.org has been identified because they are using "outdated security settings". See attached image.
Curious... My browsers do not show any problems (Opera 29 and Chromium 41). Identity verified. Maybe you are under a 'MITM attack'? My browser shows that the certificate is from GeoTrust Inc.Your is from RapidSSL?
Last edited by Sleep Mode zZ on Mon May 11, 2015 2:31 pm, edited 1 time in total.

User avatar
MarkHaysHarris777
Posts: 1820
Joined: Mon Mar 23, 2015 7:39 am
Location: Rochester, MN
Contact: Website

Re: Rasbian is a completely INSECURE operating system

Mon May 11, 2015 2:25 pm

Lope wrote:@ MarkHaysHarris777 If you think of others you might realize that not everyone knows what you know and they might need a little introduction to have a clue about security basics. No need to be rude and so proud about what an expert you are. I don't think you're impressing anybody anyway, probably the opposite. If you continue the trend of thinking of others you might realize not everyone has a whole bunch of raspberry pi's and uses them for unimportant "toy" applications. And then perhaps your opinions and preferences perhaps should not be applied to everybody else. If you don't like reading something, you can go elsewhere instead of creating negativity.
Oh, please. My 'opinion' in this matter is standard Internet security basic protocol and protection. The best security you can have on the Internet is to unplug your computers (yes, all of them) and play golf. The very notion of plugging a computer into the Internet is insecure; duh. If your computer(s) are going to be plugged into the Internet then the best security you can hope for is to be an informed user who follows standard basic security protocol(s). Its your responsibility, NOT the Raspberry PI foundation's responsibility, and not the upstream chain's responsibility. Its all on you, and me. This is NOT high, nor rude, nor proud... its just simple basic fact(s). Whole entire books (many of them) have been written on security. Your post implies that none of us have read any of them... that might be rude, or proud. A forum is NOT the place to write an Internet security treatise; there are better venues for that purpose.
marcus
:ugeek:

Heater
Posts: 15944
Joined: Tue Jul 17, 2012 3:02 pm

Re: Rasbian is a completely INSECURE operating system

Mon May 11, 2015 2:41 pm

My Firefox is not happy with raspberrypi.org verification either: "This web site does not supply ownership information".
Attachments
raspberrypi.org1.png
raspberrypi.org1.png (58.02 KiB) Viewed 2506 times
Memory in C++ is a leaky abstraction .

peat_psuwit
Posts: 6
Joined: Sun May 10, 2015 5:50 pm

Re: Rasbian is a completely INSECURE operating system

Mon May 11, 2015 2:51 pm

Heater wrote:My Firefox is not happy with raspberrypi.org verification either: "This web site does not supply ownership information".
I think that's normal. "Ownership information" is for website with "extended verification", which raspberrypi.org doesn't has one. But that isn't a problem. Website that should concern about extended verification is cyber banking website and such.

Sleep Mode zZ
Posts: 319
Joined: Sun Aug 19, 2012 5:56 am
Location: Finland

Re: Rasbian is a completely INSECURE operating system

Mon May 11, 2015 2:51 pm

My Firefox shows the same. The site is still secure. Raspberrypi.org probably has not gone through any extended validation when getting that certificate. Extended validation costs more money, so I'm not suprised that many smaller organizations won't pay for it. At least Firefox showed you the proper certificate unlike your Chrome before. :D

And the connection is secure.

Heater
Posts: 15944
Joined: Tue Jul 17, 2012 3:02 pm

Re: Rasbian is a completely INSECURE operating system

Mon May 11, 2015 3:11 pm

Actually if I view certificate information in Chrome I see:

Issued by:

Common Name (CN) RapidSSL SHA256 CA - G3
Organisation (O) GeoTrust Inc.
Organisational Unit (OU) <Not Part Of Certificate>

Which is what my Firefox also says.
Memory in C++ is a leaky abstraction .

Sleep Mode zZ
Posts: 319
Joined: Sun Aug 19, 2012 5:56 am
Location: Finland

Re: Rasbian is a completely INSECURE operating system

Mon May 11, 2015 3:18 pm

Heater wrote:Actually if I view certificate information in Chrome I see:

Issued by:

Common Name (CN) RapidSSL SHA256 CA - G3
Organisation (O) GeoTrust Inc.
Organisational Unit (OU) <Not Part Of Certificate>

Which is what my Firefox also says.
OK. I was mistaken. I thought that GeoTrust and RapidSLL were different certificate authorities. My bad. What is then the reason for Chrome not accepting it? Maybe Chrome/Google want's to push sites away from something they think is outdated? RC4 or something.

ShiftPlusOne
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 6229
Joined: Fri Jul 29, 2011 5:36 pm
Location: The unfashionable end of the western spiral arm of the Galaxy

Re: Rasbian is a completely INSECURE operating system

Mon May 11, 2015 3:26 pm

Heater wrote:As far as I can tell if I can connect to the Raspian download site using https then I am about as secure as is currently possible.
The download site is of course https://www.raspberrypi.org/ so we are doing well there.
Ah, that might be a little misleading since the file itself is on downloads.raspberrypi.org, which doesn't have a cert.

Heater
Posts: 15944
Joined: Tue Jul 17, 2012 3:02 pm

Re: Rasbian is a completely INSECURE operating system

Mon May 11, 2015 3:45 pm

Yes that is a little misleading. Still, as I say, as long as I have the file hash from a trusted source I don't need to care where I get the actual image file from.
Memory in C++ is a leaky abstraction .

Dutch_Master
Posts: 362
Joined: Sat Jul 27, 2013 11:36 am

Re: Rasbian is a completely INSECURE operating system

Tue May 12, 2015 2:52 am

Usually I don't post too often in threads that can be interpreted as 'contentious', but given the title, this one fits right in.

There is an even bigger insecurity in Raspbian: systemd. Some claim it's the best thing since Linus Torvalds wrote the kernel, Linus himself isn't too sure about systemd however. Read on for your own judgement:

http://without-systemd.org

(note: no affiliation, but IMO they have a number of valid points!)

Raspbian is based on Debian, as we all know, and the Debian folks decided remarkably quick to ditch the "ancient" (but functional!) SysVinit system for systemd (that fails consistently on my non-RPi hardware*), making sure sysvinit was really only available for those dev's that knew how to get rid of the systemd dependency chain to get a decent, working system. For me, it meant looking for a suitable Debian replacement. Gentoo-based Funtoo holds the best cards now, but that's personal choice of course ;) I haven't gotten as far as to compile it for the RPI, that'll only happen after obtaining some RPI2 replacements of the current crop of Model B's I have. That'll be a while, other priorities take precedence.

(*if you wanna know: it doesn't allow me to shut down properly, I have to do a hard-shutdown with the power button. After replacing systemd with sysvinit, everything works again :roll: No, I don't want systemd workarounds, I want systemd fixed and thus adhering to the proven Linux/Unix adagio "one tool, one job done perfectly". Yes, I dislike systemd, as you guessed correctly :evil: )

Return to “Raspberry Pi OS”