Mirrors use by default http

Having issues using the CentOS WebSite? Then describe your problem(s) here. Please include details of your platform (Linux, Mac, Windows) and browser -- not forgetting the versions of each.
Post Reply
mpiechotka
Posts: 2
Joined: 2018/01/13 01:12:14

Mirrors use by default http

Post by mpiechotka » 2018/01/16 23:30:27

I noticed that by default mirrors use http links making MITM attacks possible. The only way to select https:// mirror is to check one by one.

In addition all other files to verify download (checksums etc.) are available only by the same channel. Ideally small files (.torrent/checksums) would be served directly from the centos.org to allow verification from more trusted source. While there are .asc files there is no established chain of trust and therefore they could be easily forged.

User avatar
avij
Retired Moderator
Posts: 3046
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Mirrors use by default http

Post by avij » 2018/01/17 00:08:50

The keys are available over https at https://www.centos.org/keys/

https://wiki.centos.org/Download/Verify describes the procedure for verifying .iso images.

All the rpm files on mirrors are signed, and yum will verify the signatures when installing a package.

In addition, repodata is signed. You will need to add repo_gpgcheck=1 to your CentOS repository files to enable this check, though.

What this boils down is that there is a verifiable chain of trust for the content.

mpiechotka
Posts: 2
Joined: 2018/01/13 01:12:14

Re: Mirrors use by default http

Post by mpiechotka » 2018/01/19 17:19:13

Sorry for late reply but I haven't got the notification.
  • From users point of view GPG keys are not easily accessible. The chain of it is 'Download CentOS' -> 'verify iso' -> 'if you wish to verify (...) detailed instructions'. This seems very deep and convoluted path and I would assume 90% of users don't do it.
  • I'm not saying that GPG should not be used but https have benefit of being applied automatically, without user interaction as opposed to 6 different steps description of which is hidden behind 4 levels on webpage.

NixIs4Kids
Posts: 1
Joined: 2018/08/19 14:22:51

Re: Mirrors use by default http

Post by NixIs4Kids » 2018/08/19 14:25:20

I agree with mpiechotka, the ISO checksum page needs to be served via HTTPS.

http://mirror.centos.org/centos/7/isos/ ... um.txt.asc

Post Reply