Broken security path on webserver

Bug #1685023 reported by kdyxphkg@sharklasers.com on 2017-04-20
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-website-content
Undecided
Unassigned

Bug Description

After talking on irc at #canonical-sysadmin with "wxl", "pietroalbini" and "@fo0bar" this bug have been proven correct and i have been told to fill up a bugreport here.

The short summary how to show this bug is:

how to reproduce this security issue: Install https://addons.mozilla.org/de/firefox/addon/http-nowhere/ to get a visable error. Then browse to page https://www.ubuntu.com/download/desktop and press download. Done. already broken

Probably the irc log describes everything and answers probably all questions about this problem:

[21:39] <ohjq> hello. the website configuration of the ubuntu webpage is not secured up.
[21:40] <ohjq> any of the website admins here?
[21:42] <ohjq> could anyone who is interested in the website configuration/security install this addon and then try to download anything of the ubuntu webpage? Even the torrent file? https://addons.mozilla.org/de/firefox/addon/http-nowhere/
[21:44] <ohjq> The security-path is broken. When the important part came in order - download the software you would install on your bare machine and use it for private data - then the security is broken!
[21:52] == veebers [~veebers@101.98.138.87] has joined #canonical-sysadmin
[21:52] <@fo0bar> ohjq: https://www.ubuntu.com/download/how-to-verify -- all ISO releases are GPG signed with the keys indicated on that page
[21:54] <ohjq> fo0bar: probably everyone into security know that 0,x% of the users that download the iso do the gpg verification. Please dont answer "then they sould check" or something like this. Security should be there by default and not requiring extra knowledge/work
[21:55] <wxl> ohjq: if you want to ensure that the iso is valid, you can always use zsync or torrent, which uses a checksum to verify. although, by downloading them you are trusting the checksum, which is why you should do the gpg verification. if you don't, what other alternative is there?
[21:56] <wxl> ohjq: you could try to find some media vendor that will guarantee that they have checked the gpg. but then again, you have to trust them, too.
[21:56] <ohjq> wxl: install https://addons.mozilla.org/de/firefox/addon/http-nowhere/ and then try to get the torrent file
[21:56] <wxl> ohjq: that does nothing to verify the iso.
[21:57] <ohjq> that verify that there is no MITM attack and you get the iso from a valid server that have the right to care the x509 private key
[21:58] <wxl> of course by checking the checksum you can verify that the iso hasn't been changed
[21:58] <wxl> that doesn't even require gpg
[21:58] <wxl> and torrents, zsync do it automatically
[22:00] <ohjq> wxl: should i create a fake torrent file with a modified ubuntu iso inside to prove you that when you cant get securely the torrent file, then downloading over torrent does not add any security?
[22:00] <ohjq> this are really the basics of security we are talking here about now...
[22:01] <wxl> ohjq: ubuntu publishes hashes of all the isos. if you can modify the iso with a man in the middle attack, it would not have the same hashes.
[22:02] <ohjq> wxl: 1. 0,x% of the people check the hashes 2. I was not able to find the hash values just by browsing the download page with https://addons.mozilla.org/de/firefox/addon/http-nowhere/ enabled
[22:03] <ohjq> and there is no notice "hashes can be find here" or something like that. https://www.ubuntu.com/download/desktop does not tell anything about hashes
[22:03] <wxl> ohjq: i can see them quite fine. maybe you should find better add ons.
[22:03] <ohjq> when i press "alternative downloads" then there is still nothing about any hashes: https://www.ubuntu.com/download/alternative-downloads
[22:04] <wxl> if you go through the download process, it suggests "verify your download"
[22:05] <ohjq> you mean by pressing on "download" ?
[22:05] <wxl> yep
[22:06] <wxl> it leads to here and shows you how to find the hashes:
[22:06] <wxl> https://www.ubuntu.com/download/how-to-verify
[22:06] <ohjq> This already did not work. thats what i am telling here. When you press "download" it creates immidiatly a insecure connection without any encryption(https)
[22:06] <wxl> even walks you through using gpg
[22:07] <wxl> encryption does not guarantee security
[22:07] <wxl> pretty much nothing does
[22:07] <ohjq> how to reproduce this security issue: Install https://addons.mozilla.org/de/firefox/addon/http-nowhere/ to get a visable error. Then browse to page https://www.ubuntu.com/download/desktop and press download. Done. already broken
[22:08] <wxl> i would advise you to email <email address hidden> and request that https be added to the downloads
[22:09] <ohjq> wxl: "<wxl> pretty much nothing does" . Wtf. this is not a answer i would expect to get from anyone that is (maybe?) responsable for security of a webpage that many thousand of people go to...
[22:09] <wxl> nope not responsible
[22:09] <wxl> just trying to provide you advice
[22:09] <wxl> the current system relies upon checking hashes
[22:09] <wxl> and in fact, were https to exist it still WOULD rely upon it
[22:09] <@fo0bar> ohjq: if you are arguing that https downloads should be available, that is a valid suggestion and I would suggest filing a bug at https://bugs.launchpad.net/ubuntu-website-content/, but it would have to be an option as most of the community mirrors are http only. and as wxl has explained, there is a secure path for verifying integrity end-to-end
[22:09] <wxl> at least to ensure the integrity of the file
[22:10] <wxl> download errors happen
[22:10] <ohjq> as written in the first sentenses: I am here to report this security issue. I know how to do gpg verifications and so on.
[22:10] <wxl> ohjq: if you wish to report it, file a bug as aforementioned
[22:11] <ohjq> fo0bar: what is this "secure path" you are talking about?
[22:11] <ohjq> fo0bar: <ohjq> how to reproduce this security issue: Install https://addons.mozilla.org/de/firefox/addon/http-nowhere/ to get a visable error. Then browse to page https://www.ubuntu.com/download/desktop and press download. Done. already broken
[22:11] <wxl> ohjq: the secure path is gpg verifying the published hashes and then comparing those hashes against the the hashes of the downloaded file
[22:11] <ohjq> pressing the download button already breaks this "secure path". Check that with the addon i linked
[22:12] <wxl> ohjq: as both fo0bar and i said, adding https support is a valid request, however, and you can file a bug as aforementioned
[22:13] <wxl> of course you also have to make sure that you actually didn't go to an idn homograph of ubuntu.com, so security doesn't end with https (firefox is actually susceptible to this problem if you haven't taken the appropriate measures)
[22:15] <ohjq> wxl: this is not exactly what i am talking about. please follow the simple 3 step howto for reproduicing the error. There is no secured path of downloading the iso
[22:16] <wxl> ohjq: so go report a bug to the right source
[22:17] <pietroalbini> ohjq, installed the extension just for the sake of it and tried what you're saying: the download is blocked (as I guess is the point of the extension?) but you can still get to the "thank you" page with the link
[22:17] == hatch [~textual@204.83.95.188] has joined #canonical-sysadmin
[22:18] <wxl> ohjq: but my point is to show that security is something you work towards, not something you get to. so if you report a bug to the right forum, we can get potentially get closer. but meanwhile, there are ways to ensure your own security.
[22:19] <ohjq> pietroalbini: thanks! thats exactly what i tried to show. The addon forbids http to prove a secure path. It also is so "freindly" that it tries first to make of every http link a https link. So there is not just a missing "s" in the link, the webserver have broken security path that is impossible to fix from the user side
[22:19] <wxl> ohjq: so go report a bug.
[22:19] <pietroalbini> ohjq, but you can still get to the page with the instructions on how to verify the image
[22:20] <pietroalbini> you don't need an extension to prove you download the iso image with https
[22:20] <pietroalbini> *http
[22:20] <ohjq> pietroalbini: how? i press download, and noting happens. thats all. how can/should i go furhter?
[22:20] <wxl> you could get it with zsync or torrent, ohjq
[22:20] <wxl> or curl/wget for that matter
[22:20] <pietroalbini> ohjq, I press download and I can browse to the donation and then the "thank you" page with the link
[22:21] <pietroalbini> the *actual* download doesn't start, obviously
[22:21] <ohjq> wxl: i cant get the torrent from https. just go to https://www.ubuntu.com/download/alternative-downloads and press on any torrent file with https://addons.mozilla.org/de/firefox/addon/http-nowhere/ .
[22:21] <wxl> ohjq: you can with http. it's your choice not to use it. and again, you can file a bug.
[22:22] <ohjq> wxl: torrent "would" add some security if you could get the torrent file from https official server. But you cant.
[22:22] <ohjq> wxl: <ohjq> wxl: should i create a fake torrent file with a modified ubuntu iso inside to prove you that when you cant get securely the torrent file, then downloading over torrent does not add any security?

information type: Private Security → Public
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers