Cybersecurity

Which Linux Is Secure? The Analysis Of Top Popular Distributions

Every time if people going to a web site and download installation image or update their operation system most of Linux users don’t thing about information security. Linux is more secure than OS X and Windows by design, but absolute security is a myth. Yes, some people can store their data high in the Himalayas, but not all can do it. Few of the most popular providers have the big security teams and many users live in countries with censorship like China, Syria, North Korea, Russia, Cuba.

So, can I be sure that web site of my lovely Linux Distribution is real and hackers doesn’t replace it with infected software? Can I get a backdoor in my operating system from installed updates? No, but only with these conditions:

  • SSL certificate – website and servers with software & updates must be available over HTTPS protocol: with MITM (Man-In-The-Middle) attack and phishing you can lacks the passwords, logins, cookies and other personal data or download infected software. If updates are installed from the server without HTTPS connection – hackers or government know what software and version you have installed.
  • checksums – required for confirmation that your downloaded software and software in server of Linux Distribution is the same and not broken or infected
  • package signing – extended confirmation that downloaded software and repository is trusted

Three conditions of the success formula. Time to check right now how it works in the popular Linux distributions. Package signing is now realized in all top distributions, but except in Gentoo.

Mint


Linux Mint official web site doesn’t support HTTPS protocol. I also can’t find neither HTTPS-mirror, the same situation with repositories – very strange situation for the one of most popular Linux distribution.

Debian


The official Debian web site available over HTTPS, but you can download the installation image only over HTTP or FTP. Using the FTP protocol in 2016 is a very bad idea ’cause plain text authentication and many vulnerabilities in popular clients isn’t fixed. Repositories – ~90% over FTP, some mirrors over HTTP. So bad. I highly recommend to use Tor for access to repositories, good manual is here (personal thanks to Julian Andres Klode from comments).

Ubuntu, Kubuntu, Xubuntu, Lubuntu


Ubuntu.com doesn’t support HTTPS, the same situation with repositories and mirrors. Popular user-mantained platform Launchpad is available over HTTPS.

Kubuntu and Xubuntu supported HTTPS without redirection from http://, Lubuntu – no. Images and repositories – HTTP-only.

OpenSUSE


Open SUSE website and repositories is available over HTTPS; the installation images – HTTP-only.

Fedora, RHEL, Centos


HTTPS by default for all. My personal congratulations for Red Hat & Community.

Mageia


Official website, images and repositories are HTTPS-only by default and certificate isn’t trusted cause use non-recommended SHA-1 algorithm. It’s better than plain HTTP but can be hacked.

Manjaro


Official website – available over HTTPS, packages and installation images – HTTP-only.

Arch


Let’s Encrypt SSL Certificate for all, good work.

Kali


Official web site is available over HTTPS, images – HTTP, but can be verified with GPG. Repositories is HTTP-only. Shame for digital forensics and penetration testing distribution, don’t you?

Zorin


HTTP-only.

PCLinuxOS


HTTP-only

Puppy


Web site with bad SSL certificate, images and repositories – HTTP-only.

Slackware


HTTP-only

Deepin


HTTP-only

Elementary


HTTPS by default for all resources. Nice work. Ubuntu packages is HTTP-only.

Gentoo


Gentoo web site uses HTTPS, but this distribution have a serious problem with packages – it’s non signed and can be validated only with checksum. All manifests are signed with developer keys, but checking not supported in the package manager and you must verify it manually with a big pain.

Qubes OS


Qubes OS web site and installation images are supported HTTPS. Here is the principle “secure by isolation” without rpm or deb packages. All non-system software run in Xen virtual machines.

The Winners Is …

Arch, Made by Red Hat (Fedora, Centos, RHEL), Qubes OS.

What if my Linux Distribution don’t support HTTPS and GPG signing?

Go to forum or bugt racker and ask “Why?!!”. Seriously, you must do it cause these things is necessary for all:

  • privacy
  • ownership – who is who
  • no modified content or software by ISP/hackers/others
  • no plain text passwords

Thanks for reading.

Read more:
Red Hat OpenShift Review – Free & Open Source Linux Hosting For WordPress & Owncloud And Other PHP/JS/Java/Go/Python/Ruby/Rust Applications

[Updated] The Popular Android-based Remix OS Violate GPL and Apache License

Signal Secure Messenger Review & Test Drive: Free And Open Source Alternative To WhatsApp/Telegram/Facebook Messenger

My Fantastic Linux & UEFI Adventures Begin 2016: It Maybe Can Save Your Money And Time

  • Julian Andres Klode

    Correction:

    (1) Most Debian mirrors are http

    (2) https does not gain much, as you can still identify security updates being downloaded based on their size.

    (3) Debian even has a Tor hidden service you can fetch packages from, see http://people.skolelinux.org/pere/blog/Always_download_Debian_packages_using_Tor___the_simple_recipe.html

    • Paul Alberto Rufous

      1) Not most, check https://www.debian.org/mirror/list. All primary mirrors available only over FTP.
      2) Size is not a placebo and can be faked. HTTPS is necessary.
      3) Added to article, thanks.

      • Julian Andres Klode

        1) A lot have ftp in their name, but are actually (mostly or only) HTTP mirrors

        2) Not sure what you’re trying to say. If there was a new security update for foo that is 1.2MB large and there is 1.2MB download from your (security) mirror, you know that the user has foo installed. They also can be reasonably sure which version of the package you have installed afterwards.

        This mostly applies to stable updates, as they almost only get security updates outside of the point release, and have a special security.debian.org mirror (to ensure that the mirrors are up-to-date).

        • Paul Alberto Rufous

          1) Yes, it’s right.
          2) If you’re connected with the distro server without HTTPS – potential attackers known which software and which version you use. This is first stage of every attack – detect software, version and search vulnerabilities for it. security.debian.org available only over HTTP.

  • Richard Howell

    Manjaro is actually quite secure:

    Packages are downloaded over HTTP they are PGP signed. This means that
    while someone could see what you are downloading, they can’t affect the
    payload without producing a signing error. Then you could see the
    package has been tampered with. Unless one of the developers is
    compromised, this means this avenue of attack is a non-starter.

    Installation
    images have MD5 and SHA checksums, so again you can verify their
    integrity. I suppose someone could sign the checksum file too, but for
    an attacker to tamper with the checksum file is an awful lot of effort.

    • Paul Alberto Rufous

      PGP-sign and checksums is necessary, but potential attackers can analyze you traffic and know what packages and which version are installed in your OS. It’s very helpful to search vulnerabilities.

  • Aniruddha

    This comparison misses the non-free repositories such as rpmfusion. Unfortunately rpmfusion still has some serious security issues: https://lwn.net/Articles/606826/ https://bugzilla.rpmfusion.org/show_bug.cgi?id=3313

    • Paul Alberto Rufous

      Yes, and HTTPS in the Rpmfusion Bugzilla server is broken.