The last time Hackerfall tried to access this page, it returned a not found error. A cached version of the page is below, or clickhereto continue anyway

The sad state of Linux download security

TL;DR: Installation images for many of the most popular Linux distributions are difficult or impossible to obtain securely via download.

Update 2

openSUSE has updated their Tumbleweed installation page with verification instructions, the signing key fingerprint, and references to GPG-signed checksums. It now contains all the information needed for secure verification in one place. That's great news!

Update

Whoa, this has turned out to be a controversial one!

I have received dozens of messages from individuals having something to say on this subject. Some of these were supportive and largely confirmed my findings, many others were critical, some of them aggressively so. We do all love our favorite distros :)

The criticism mostly falls into a few categories, so instead of replying to each message separately, I am grouping them here:

"You are a [INSULT]."

Of course, I have no intention to respond to these, but yes I did get them. It's the Internet after all...

"HTTPS vs. HTTP does not matter because download MitM isn't really a threat."

This one surprised me the most, yet it was voiced by multiple people so I feel I just have to respond to it. To put it plainly, that statement is nonsense. The whole point of the awkward, expensive and complicated certificate authority system is that MitM is a very real threat. I'm not even going to bother linking to any of the numerous articles showing that malicious code injection into HTTP downloads 1. is possible, and 2. has demonstrably happened in the past. Why anyone would dismiss this concern when SSL can be set up for free in less than an hour with Let's Encrypt is beyond me.

"Compromise of the download server is a far greater threat."

I fully agree. Unfortunately, there is no way for a user to assess whether such a compromise has happened except by reading about it in a post-mortem when it's already too late. Therefore, my focus has been on security features that can be evaluated externally.

"You wrote that [DISTRO]'s instructions are not there/hard to find, but they are actually at [LINK]/in the wiki etc."

If something cannot be found, it does not exist. If something cannot be found by a casual/new user, it does not exist for a casual/new user. The (only!) right place for checksum/signature files and verification instructions (or links to them) is on the very same page that the image is downloaded from. Debian's NetInstall download page, for example, contains none of these words: Checksum, signature, GPG, PGP, verify, verification. That does not qualify as "not hard to find" except maybe for people who already know where to look.

"You are wrong about openSUSE not offering signatures and not being possible to verify securely."

It turns out that I was indeed wrong here, because, as pointed out by several people, the SHA-256 checksums offered on the Tumbleweed installation page are in fact GPG signed. I apologize for the mistake and any confusion it may have caused and have amended the table below.

However, while I regret this oversight I must mention that

  1. the above mentioned installation page does not contain the words signature, GPG, PGP, verify
  2. the links to the checksum files are labeled "Checksum (SHA-256)", not "signed checksum", "SHA-256 + GPG" or anything else that could provide a clue that signatures are inside
  3. the checksum files are served over plain HTTP, so just verifying them with sha256sum (and not checking the signature) provides no security against MitM code injection
  4. the page does not contain a link to (or fingerprint of) the signing key (I have been informed it's here yup, plain HTTP again, though with an HTTPS option + HSTS at least).

These points are precisely what led me to my (wrong) conclusion, and could easily lead others looking for verification options to the same. Fortunately, the openSUSE team seems to agree in principle as they are working on a revamped download page, containing, yes, a "verify" section, a link to a full walkthrough for GPG verification, and a direct (HTTP) link to the signing key! And on top of that, the page looks really great.

A decade and a half ago, SuSE Linux Professional 5 (in a beautiful green box set) was the very first Linux I ever used, so I'm glad to see that they are making these and other tweaks which in the future should make it much easier for people to verify their downloads than it currently is.

It also turns out that, unsurprisingly, I am not the first to notice the download security deficiencies in Linux distributions and to try to compile them systematically: https://github.com/hackers-terabit/linuxmitm contains a table quite similar to the one in this article. I was unaware of linuxmitm when I wrote my post, but it's encouraging to see that I am clearly not alone in being bothered by these glaringly obvious issues.

The original article follows:

Linux security is a very complex topic. Modern Linux distributions boast intricate security features in both kernel and userspace, designed to guard against anything from memory corruption exploits to DoS attacks using systems like KASLR and AppArmor.

But to benefit from any of these, Linux must first be installed, and that usually means downloading an ISO image from the distribution's website.

It is here that security practices seem to be at their weakest. Even very popular distributions routinely fail to provide adequate means and instructions for the simple task of obtaining and verifying downloaded images in a secure manner. This post describes a few simple criteria for evaluating a Linux distribution's dedication to download security and then looks at how the major distros fare when measured using the same.

Criteria

Download page supports HTTPS

If this is not the case, none of the provided information is trustworthy to begin with. Everything might be inspected and modified in transit, including download links, checksums, key references and signatures. With the advent of Let's Encrypt, free SSL certificates are now readily available and there is simply no longer any excuse for not offering HTTPS on something as critical as the webpage from which people download their operating system.

Download page forces HTTPS

A "best practice" extension of the above. Why let people even use unsafe plain HTTP connections if HTTPS is already available? Bonus points if HSTS is used to prevent downgrade attacks.

Download via HTTPS

Even in 2016, the vast majority of file downloads on the web is served via plain HTTP. The usual argument revolves around the performance overhead associated with wrapping HTTP in TLS, although that overhead has repeatedly been demonstrated to be minimal and should be well worth it considering the security HTTPS can add to a critical software download.

Checksum available

At the very minimum, a checksum should be offered (via HTTPS, of course) so that users may verify the integrity of their download. MD5 has been broken long ago while SHA-1 is close to being broken, so ideally this should be SHA-256, for which software to compute it comes preinstalled on Linux (sha256sum).

GPG signature available

The gold standard for file verification are OpenPGP cryptographic signatures. These are readily checked using GnuPG, which again ships with every mainstream Linux distribution out of the box. If the downloaded distro is the same as the one it is downloaded with (say, Debian), the signing key will already be in the system's key store and does not need to be downloaded separately.

Verification instructions clear and easy to find

Checksums and signatures are of little benefit if they themselves and the instructions for using them are hidden on some subpage that is not even linked to from the download page. Ideally, the download page itself should contain the checksums, links to the signature files, as well as instructions (or a link to instructions) for verifying them on all major operating systems. A web search brings up dozens of layman-friendly resources explaining checksums and GPG in detail, so not linking to those and leaving users to discover the details themselves is just lazy.

DistroWatch Top 10

The DistroWatch Page Hit Ranking is a somewhat arbitrary, yet commonly cited index for assessing the relative popularity of Linux distributions.

Evaluating the top-ranked distributions' download pages using the above criteria yields the following table as of July 17, 2016:

Distro HTTPS supported HTTPS forced HTTPS download Checksum Signature Instructions Mint Yes Yes No1 Externally hosted Yes Difficult2 Debian Yes Yes No Hard to find3 Hard to find3 Difficult3 Ubuntu No No No HTTP only Yes Very clear openSUSE Yes Yes No HTTP only No Yes7 None Clear8 Manjaro Yes No No Yes (SHA-1) Yes Clear Fedora Yes Yes Yes Yes Yes Clear4 Zorin No No No5 HTTP only No None CentOS Yes Yes No HTTP only Yes Hard to find6 elementary Yes No Yes Yes No Clear Arch Yes Yes No Yes (SHA-1) Yes None

1 Some download mirrors support HTTPS, but are linked to via HTTP only.2 The (externally hosted) signature and checksum files are not linked to directly. The user has to navigate through multiple subdirectories to find them.3 "Official releases of Debian CDs come with signed checksum files; look for them alongside the images in the iso-cd, jigdo-dvd, iso-hybrid etc. directories." No directory or direct links are provided. Verification instructions are not linked to from the download page.4 Not linked to directly from the download page.5 Additionally, Zorin OS downloads are funneled through intransparent "bit.ly" links.6 No instructions on the download page. A web search brings up a page with obscure references to a "md5sum.txt" that "can be found in the same directory as the iso image".7 Erratum: openSUSE does sign its checksums, though they are not currently labeled as being signed on the download page. See the "Update" section at the beginning of this article for more details.8 In reaction to this article, openSUSE has expanded the Tumbleweed installation page with all information necessary to securely verify ISO downloads.

Conclusions

As so often when it comes to security, Fedora takes the crown, doing everything right. The ever-popular Ubuntu shows catastrophic deficits, and is one of only two distributions that flat out does not support HTTPS at all anywhere on its website, though ironically it boasts the single best instructions for verifying the download.

Top-ranked distribution Linux Mint still trusts external hosts with its ISOs and checksum files, which is quite a shame given that the installer was compromised earlier this year.

Incredibly, there does not appear to be any way whatsoever to securely verify downloads from respected openSUSE. Erratum: This statement is incorrect because openSUSE does sign its checksums, though they are not currently labeled as being signed on the download page. See the "Update" section at the beginning of this article for more details.

Overall, the analysis reveals a mixed bag of download security practices and generally insufficient verification instructions, especially for new users. Linux security appears to be seriously flawed before Linux is ever installed on a machine. Most of the flaws would be trivial to fix, and some of the distros do get it right, so the blame lies squarely with the maintainers.

Cover image: Samuel Blanc (Wikimedia Commons, CC-BY-SA)

Continue reading on worldwidemann.com