Wiki

• FrontPage
• RecentChanges
• FindPage
• HelpContents
• Hardening/RepoAndImages

Solved

• Debian websites use SSL certs verifiable by most existing OSes
• Some mirrors have https enabled and use SSL certs verifiable by most existing OSes
• Most suites have Valid-Until, preventing indefinite downgrade attacks
• SSL CA and DNSSEC/TLSA/DANE trust paths to Debian SSL certs

• SSL connection to the Debian DNSSEC keys

• Official mirror run by DSA on the Tor network (announcement, followup), unofficial ones run by Debian members too

• netboot.tar.gz are verifiable via the OpenPGP-signed Release files

• win32-loader is verifiable via the OpenPGP-signed files called extrafiles

• deb.debian.org supports https

Issues

• No OpenPGP trust paths (ie Monkeysphere) to Debian or mirror SSL certs
• No OpenPGP trust paths to Debian DNSSEC keys
• Not available in browser certificate pinning (HPKP)
• Mirror updates are not authenticated in any way
• Most clients contacting mirrors reveal package names and version numbers
• Most mirrors probably have default apache2 logging (recording packages, versions, IPs etc)
• Mirrors list does not contain any info about https support
• Security update notices are via email
• No suggestions to or documentation about how to verify signatures

• No downloads that use the subresource integrity for downloads standard.

• No magnet: links for bittorrent downloads on SSL
• No magnet: links for bittorrent downloads on OpenPGP-signed email
• No publishing of hashes of various things in Bitcoin/etc blockchains
• win32-loader is not Windows-code-signed
• win32-loader is not available in the Microsoft Windows Store
• no Debian installer is not available in the Apple Store or other popular stores
• ISO images server and mirrors have the same issues as repository mirrors
• Front page of Debian website links to an ISO image but no signature
• Verifying the ISO images is a convoluted process
• Torrent files for the ISO images are not able to be verified

• BitErrant attacks on BitTorrent via SHA-1 collisions

• No ISO hashes available over HTTPS
• More prominent OpenPGP fingerprints for ISOs
• Preinstalled systems are not able to be verified
• Image downloader/writer programs that verify signatures and hashes

• di-netboot-assistant does not verify things 775904

• snapshot.debian.org validation requires turning off Valid-Until, using expired signatures and old keys, idea for a fix in 763419

• Possible apt sources.list improvements

• all .deb packages are ultimately trusted by the system

• SHA-1 is used in various places in Debian and by tools we use

• Not all Debian services are on Tor onion services

• Debian doesn't yet support binary transparency services (like Cothority

• buildds do not verify source packages against developer keyrings

• User-oriented checklist

• More

See also

• Fedora's status and plans

• Linux Mint new security aspects

• Discussion of HTTPS, OpenPGP and ISOs etc