Christoph Anton Mitterer <cales...@scientia.net> writes: > Anyway this should demonstrate quite practical, how fast attackers are > these days and that severely reducing the validity times doesn't just > help against some completely unreal attack vectors.
> Even if the security team is as fast as above, then a victim may be > compromised by a downgrade attack, thus not even being notified about > new upgrades. Packages appearing on mirrors is not how we notify Debian users of security updates. We do that by issuing a security advisory. Yes, it's nice to protect against archive downgrade attacks, but validity periods are not our primary defense against that. Our primary defense is that we send out a DSA telling people exactly what package versions they need. If those package versions aren't available, that should raise red flags. Teams that run Debian servers in production should be checking that all packages on their hosts are upgraded to the necessary versions. I've run such production system clusters for many years now, and the machinery and tools that you need to have in place to ensure that you actually pushed out the security update to all systems will also trivially catch downgrade attacks of the type that you're describing. That's not to say that shorter validities are meaningless. They're helpful for people whose *only* deployment method and check for security updates is via some sort of automated apt upgrade process, with no one at the wheel. Insofar as we can make those people safer without causing more work for ourselves, we should. But we shouldn't confuse that with the right way to check for security updates for Debian systems. People who care about security updates need to be subscribed to debian-security-announce and reading the DSAs. > Conceptually, the "trust" lies in the server. Even when the client > reduces his validity times, than a server could still simply distribute > old packages, just newly signed. But the MITM attacker who is launching a downgrade attack can't do this. It seems to me that if you want to lower the chances of a downgrade attack for your systems, setting the validity period on your systems is exactly the tool that you need. There's no need for anything to change on the server side for you to get that protection. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87y4rycmcx....@hope.eyrie.org
