search

meganz / MEGAcmd

Command Line Interactive and Scriptable Application to access MEGA
Other
1.94k stars 407 forks source link

Insecure RSA1024 key for debian repo #402

Open AgentOak opened 4 years ago

AgentOak commented 4 years ago

The debian APT repository that gets automatically added to your system when installing the mega-cmd deb package is signed using an RSA1024 key.

pub   rsa1024 2015-11-07 [SC] [expires: 2025-11-04]
      8F20 8FBF 12FE E766 AA32  AEAF 03C3 AD3A 7F06 8E5D
uid           [ unknown] MegaLimited <support@mega.co.nz>
sub   rsa1024 2015-11-07 [E] [expires: 2025-11-04]

NIST recommendations disallowed the use of RSA1024 after 2010 and even RSA2048 keys are only permitted until 2030. Support for insecure 1024 bit keys was removed from browsers in 2014 already.

It is speculated that state-backed attackers may have the ability to crack 1024 bit keys (publicly a 829 bit keys has been cracked so far), which would allow them to install malicious software on affected systems.

To protect against man-in-the-middle attacks now and in the future, the key should be exchanged for a 3072+ bit key as soon as possible. Debian's own repositories use RSA4096 keys exclusively.

AgentOak commented 3 years ago

Any plans to move to a secure key yet?

polmr commented 3 years ago

We will shortly update to a lengthier key. Thanks for your collaboration!

Danrancan commented 2 years ago

We will shortly update to a lengthier key. Thanks for your collaboration!

Get on this @polmr. This should have been done by Oct. 6th 2021. You workin' with nation states bro?