Closed Nurmagoz closed 4 years ago
Although this isn't really a Qubes specific issue I have seen Egyptian ISPs inject malicious content into HTTP requests before. Maybe Qubes should push an update to use only HTTPS repos? Users could of course edit the repo files themselves, but some might not know how.
Although deb.qubes-os.org is reachable over HTTPS, security.debian.org is not (sic!). Also, I remember there was some recommendation against using apt-transport-https, but I believe it was about many mirrors not supporting it. @adrelanos what do you recommend? We could at least deb.qubes-os.org switch to https by default.
As for onion by default - no, that's out of the question, See https://github.com/QubesOS/qubes-issues/issues/2604#issuecomment-330423579 (and next comments) for discussion about it.
i asked in debian security mailing list , one of them answered to use another mirror of ssl debian security repo:
deb https://deb.debian.org/debian-security stretch/updates main
The question remain if we can shift all of the repos to use ssl by default for the sake of users security and avoid harming them through malicious ISP.
Don't remember in the top of my head.
Marek Marczykowski-Górecki:> As for onion by default - no, that's out of the question, See
https://github.com/QubesOS/qubes-issues/issues/2604#issuecomment-330423579 (and next comments) for discussion about it.
Agreed.
We'd most likely welcome any stability and usability improvement patches. Ideally we'd make all as easy as an on/off switch gui buttons.
@TNTBOMBOM @andrewdavidwong This issue could be closed? All merges set https by default for repositories
from my side yes , all repos are https by default currently!.
ThX!
unman:
@TNTBOMBOM @andrewdavidwong This issue could be closed? All merges set https by default for repositories
Qubes OS version:
Qubes 4
Affected component(s):
Repositories with HTTP
Steps to reproduce the behavior:
Welcome to middle east
Expected behavior:
To update/upgrade without interference from the ISP.
Actual horror behavior:
I have discovered that Etisalat (ISP of UAE, so as it has branch in Egypt) names popped up in the middle of the
apt upgrade
inside debian.as we see , all HTTPS requests went through except Qubes and debian security repo which has an issue with their ssl or port configuration (thats why im using the default debian http repo):
The way that etisalat done the attack:
there is a payment page which is pushed from etisalat effecting only the HTTP request:
the HTTP URL used to manipulate firefox connection:
https://onlineservices.etisalat.ae/scp/open/osdpages/billPayment.jsp?internetusername=etisalat&ref=http://detectportal.firefox.com/success.txt
The page will show something like this if you will request any HTTP website through firefox:
Luckily i have used ooni-probe to detect if there is an network tampering for http manipulation and yep there was:
What we learn from this:
We need to use only HTTPS or Onion (or any better if there is alternative) for all the repos inside Qubes OS, from Qubes repos to fedora to debian to ...etc.