Page 1 of 1

Mirrors use by default http

Posted: 2018/01/16 23:30:27
by mpiechotka
I noticed that by default mirrors use http links making MITM attacks possible. The only way to select https:// mirror is to check one by one.

In addition all other files to verify download (checksums etc.) are available only by the same channel. Ideally small files (.torrent/checksums) would be served directly from the centos.org to allow verification from more trusted source. While there are .asc files there is no established chain of trust and therefore they could be easily forged.

Re: Mirrors use by default http

Posted: 2018/01/17 00:08:50
by avij
The keys are available over https at https://www.centos.org/keys/

https://wiki.centos.org/Download/Verify describes the procedure for verifying .iso images.

All the rpm files on mirrors are signed, and yum will verify the signatures when installing a package.

In addition, repodata is signed. You will need to add repo_gpgcheck=1 to your CentOS repository files to enable this check, though.

What this boils down is that there is a verifiable chain of trust for the content.

Re: Mirrors use by default http

Posted: 2018/01/19 17:19:13
by mpiechotka
Sorry for late reply but I haven't got the notification.
  • From users point of view GPG keys are not easily accessible. The chain of it is 'Download CentOS' -> 'verify iso' -> 'if you wish to verify (...) detailed instructions'. This seems very deep and convoluted path and I would assume 90% of users don't do it.
  • I'm not saying that GPG should not be used but https have benefit of being applied automatically, without user interaction as opposed to 6 different steps description of which is hidden behind 4 levels on webpage.

Re: Mirrors use by default http

Posted: 2018/08/19 14:25:20
by NixIs4Kids
I agree with mpiechotka, the ISO checksum page needs to be served via HTTPS.

http://mirror.centos.org/centos/7/isos/ ... um.txt.asc