Repository key fetching is insecure
Bug #1449996 reported by
dann frazier
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
elasticsearch (Juju Charms Collection) |
New
|
Undecided
|
Unassigned |
Bug Description
This charm verifies an apt repository using a key it downloads via http. This is not a secure way to verify the repository. The point of signing the repository to begin with is because it is not possible to trust a site based on DNS resolution alone. If an attacker is going to go through the effort of poisoning your DNS to cause you to use a bogus repository, there's no reason that can't also sign that repository with a bogus key and return the corresponding public key in the key fetch process.
I'd suggest providing an independently-
To post a comment you must log in.
The charm verifies an apt repository using whatever key url you provide. The default that it provides is http because that was all that was available at the time [1], but great that they now provide https.
Or am I missing something? Does it not work if you provide an https uri? (I actually never use the default (external) repository for our internal deploys, using an internal repo we control instead).
Happy to update the default. Do you think it's worth providing the public key in the charm itself for the default repo (only)?
Thanks Dann.
[1] https:/ /www.elastic. co/blog/ apt-and- yum-repositorie s