Dangerous default APT sources in Kali

**taoteching** · 2017-03-05

In a world where your ISP and government are not out for your best interest, you cannot be careful enough.

Why are the default sources for Kali insecure? (http)
Why isn't apt-transport-https installed by default?
Why aren't the Kali repo's certificates correctly configured?

This is very dangerous and irresponsible on your end, with millions of users trusting your software to be >>> safe <<<.

Source (research danger of insecure sources): https://isis.poly.edu/~jcappos/paper...ror_ccs_08.pdf

Unless...?

Please enlighten me.

**bolexxx** · 2017-03-05

Apt transport does not need to be via HTTPS for the transfer packages to be secure, as all our packages, as well as repositories are signed via GPG. Any attempt to tamper with a package or a repository would be visible to both users and kali repo admins.

**_defalt** · 2017-03-06

Upgrades are signed with GPG. Operating sysytem will reject them if signature is found to be different. Using https for downloading packages will consume lot of bandwidth which may not be feasible for client and server.

**taoteching** · 2017-03-08

Originally Posted by _defalt

Upgrades are signed with GPG. Operating sysytem will reject them if signature is found to be different. Using https for downloading packages will consume lot of bandwidth which may not be feasible for client and server.

The bandwidth issue is the only reason I wouldn't do it, but there are still reasons why I would prefer it encrypted:

1. Privacy (needless to say that I don't want someone knowing I'm downloading off the Kali servers, or what I'm downloading)

2. "...numerous research papers have shown both APT and YUM repositories to be vulnerable to replay attacks when the repository is accessed via HTTP, even with GPG signatures. Repositories should only be accessed via TLS, 100% of the time." – Joe Damato (from http://unix.stackexchange.com/questi...ebian-apt-tool)

I wouldn't mind the extra wait to stay secure!

**_defalt** · 2017-03-08

Originally Posted by taoteching

The bandwidth issue is the only reason I wouldn't do it, but there are still reasons why I would prefer it encrypted:

1. Privacy (needless to say that I don't want someone knowing I'm downloading off the Kali servers, or what I'm downloading)
I wouldn't mind the extra wait to stay secure!

If i know that you are connected to APT repository, that is not tough to guess that you are downloading upgrades because that is the only reason why one goes there. That apache server is only used for uploading upgrades for users.

**taoteching** · 2017-03-21

Originally Posted by _defalt

If i know that you are connected to APT repository, that is not tough to guess that you are downloading upgrades because that is the only reason why one goes there. That apache server is only used for uploading upgrades for users.

Would the ISP know what APT repo/if it is an APT repo if it was encrypted?
If so, a HTTPS proxy should be able to take care of that.

And what about my other point?

2. "...numerous research papers have shown both APT and YUM repositories to be vulnerable to replay attacks when the repository is accessed via HTTP, even with GPG signatures. Repositories should only be accessed via TLS, 100% of the time." – Joe Damato (from http://unix.stackexchange.com/questi...ebian-apt-tool)

**_defalt** · 2017-03-21

Originally Posted by taoteching

Would the ISP know what APT repo/if it is an APT repo if it was encrypted?
If so, a HTTPS proxy should be able to take care of that.

And what about my other point?

2. "...numerous research papers have shown both APT and YUM repositories to be vulnerable to replay attacks when the repository is accessed via HTTP, even with GPG signatures. Repositories should only be accessed via TLS, 100% of the time." – Joe Damato (from http://unix.stackexchange.com/questi...ebian-apt-tool)

If i was your ISP, i would look for Server-Name Indication which is an extension of TLS that will tell me that you are connected to APT repo server and downloading something which i can't see what it is. If i'm unable to use SNI then i'll just reverse DNS the IP Address of that server and visit their site to see what it is. I'll come to know that it is an apache server which is used to upload upgrades for kali-linux repositories. So even if you use https, i'll come to know that you are connected to that server just for downloading upgrades. So you can't keep privacy because you can't hide which server you are connected to.

Replay attacks can be prevented by sending sequence counter with HMAC.

**taoteching** · 2017-04-02

Originally Posted by _defalt

Replay attacks can be prevented by sending sequence counter with HMAC.

Is this enabled by default?

And my main concern is public networks. It should be impossible for a MITM to intercept any APT transport (with SSL).

**_defalt** · 2017-04-02

Using TLS for upgrades has more disadvantages than its advantages.

Thread: Dangerous default APT sources in Kali

Thread Tools

Search Thread

Display

Dangerous default APT sources in Kali

Similar Threads

E: Malformed entry 1 in list file /etc/apt/sources.list.d/tor.list (Component)E: The list of sources

Missing packages in Kali.org**/Or Possible hacked sources? while updating linux?

What should be in my kali linux 1.1.0 sources.list file ?

Tags for this Thread

Posting Permissions