Every time if people going to a web site and download installation image or update their operation system most of Linux users don’t thing about information security. Linux is more secure than OS X and Windows by design, but absolute security is a myth. Yes, some people can store their data high in the Himalayas, but not all can do it. Few of the most popular providers have the big security teams and many users live in countries with censorship like China, Syria, North Korea, Russia, Cuba.
So, can I be sure that web site of my lovely Linux Distribution is real and hackers doesn’t replace it with infected software? Can I get a backdoor in my operating system from installed updates? No, but only with these conditions:
- SSL certificate – website and servers with software & updates must be available over HTTPS protocol: with MITM (Man-In-The-Middle) attack and phishing you can lacks the passwords, logins, cookies and other personal data or download infected software. If updates are installed from the server without HTTPS connection – hackers or government know what software and version you have installed.
- checksums – required for confirmation that your downloaded software and software in server of Linux Distribution is the same and not broken or infected
- package signing – extended confirmation that downloaded software and repository is trusted
Three conditions of the success formula. Time to check right now how it works in the popular Linux distributions. Package signing is now realized in all top distributions, but except in Gentoo.
Linux Mint official web site doesn’t support HTTPS protocol. I also can’t find neither HTTPS-mirror, the same situation with repositories – very strange situation for the one of most popular Linux distribution.
The official Debian web site available over HTTPS, but you can download the installation image only over HTTP or FTP. Using the FTP protocol in 2016 is a very bad idea ’cause plain text authentication and many vulnerabilities in popular clients isn’t fixed. Repositories – ~90% over FTP, some mirrors over HTTP. So bad. I highly recommend to use Tor for access to repositories, good manual is here (personal thanks to Julian Andres Klode from comments).
Ubuntu, Kubuntu, Xubuntu, Lubuntu
Open SUSE website and repositories is available over HTTPS; the installation images – HTTP-only.
Fedora, RHEL, Centos
Official website, images and repositories are HTTPS-only by default and certificate isn’t trusted cause use non-recommended SHA-1 algorithm. It’s better than plain HTTP but can be hacked.
Official website – available over HTTPS, packages and installation images – HTTP-only.
Let’s Encrypt SSL Certificate for all, good work.
Official web site is available over HTTPS, images – HTTP, but can be verified with GPG. Repositories is HTTP-only. Shame for digital forensics and penetration testing distribution, don’t you?
Web site with bad SSL certificate, images and repositories – HTTP-only.
HTTPS by default for all resources. Nice work. Ubuntu packages is HTTP-only.
Gentoo web site uses HTTPS, but this distribution have a serious problem with packages – it’s non signed and can be validated only with checksum. All manifests are signed with developer keys, but checking not supported in the package manager and you must verify it manually with a big pain.
Qubes OS web site and installation images are supported HTTPS. Here is the principle “secure by isolation” without rpm or deb packages. All non-system software run in Xen virtual machines.
The Winners Is …
Arch, Made by Red Hat (Fedora, Centos, RHEL), Qubes OS.
What if my Linux Distribution don’t support HTTPS and GPG signing?
Go to forum or bugt racker and ask “Why?!!”. Seriously, you must do it cause these things is necessary for all:
- ownership – who is who
- no modified content or software by ISP/hackers/others
- no plain text passwords
Thanks for reading.