Hello,
This is my first post on this forum. I hope I'm following expected behavior with the following question.
Questions:
I'm posting this thread because I'm wondering why:
1°) when installing proxmox on debian, one does not seem to have other options than download the secure apt signature verification key in http instead of https
see proxmox 4 on debian 8: https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_Jessie
see proxmox 5 on debian 9: https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_Stretch
see section 3.1.4 Secure Apt: https://pve.proxmox.com/pve-docs/pve-admin-guide.html
this could be an open door to MitM attacks. Impact of this attack could be complete compromise of the hypervisor by pushing compromised updates executed with root privileges (i.e. full control of everything).
Simply replacing "http" by "https" in the tutorial does not solve the issue. The certificate that is afterwards recovered during the TLS exchange
1°) is for another domain
2°) if accepted leads to an authentication request (paid subscription)
2°) when following both guides for proxmox 4 on debian 8 and proxmox 5 on debian 9, there is no indication of any way to check if the key that one installs to verify packages is the correct one.
see proxmox 4 on debian 8: https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_Jessie
see proxmox 5 on debian 9: https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_Stretch
Some people might simply blindly follow the tutorial (for which I'm grateful. I have not tested the pve5 on debian9 yet, but the other one works like a charm and I thank every contributor for that) and thus,
this could be an open door to MitM attacks. Impact of this attack could be complete compromise of the hypervisor by pushing compromised updates executed with root privileges (i.e. full control of everything).
It is however possible to dig deep into proxmox's website and look for the fingerprint.
However,
a) I cannot manage to find pve4's fingerprint anymore
b) pve5's can be found here: https://pve.proxmox.com/pve-docs/pve-admin-guide.html
c) but this seems to be a poor approach to security as I'm not convinced most people will look that far and the page could be deprecated, erroneous, etc.
3°) when reading the only information I've managed to find in https to check pve5's key, the checksum is provided using and md5 hash which has been considered cryptographically insecure for very long now.
see section 3.1.4 Secure Apt: https://pve.proxmox.com/pve-docs/pve-admin-guide.html
Suggestions:
A potential solution to this "questions" might be to update the 3 pages:
see proxmox 4 on debian 8: https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_Jessie
see proxmox 5 on debian 9: https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_Stretch
see section 3.1.4 Secure Apt: https://pve.proxmox.com/pve-docs/pve-admin-guide.html
and include instructions in all three to verify the key's fingerprint and SHA512SUM.
What do you think?
Kind regards,
J.
This is my first post on this forum. I hope I'm following expected behavior with the following question.
Questions:
I'm posting this thread because I'm wondering why:
1°) when installing proxmox on debian, one does not seem to have other options than download the secure apt signature verification key in http instead of https
see proxmox 4 on debian 8: https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_Jessie
see proxmox 5 on debian 9: https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_Stretch
see section 3.1.4 Secure Apt: https://pve.proxmox.com/pve-docs/pve-admin-guide.html
this could be an open door to MitM attacks. Impact of this attack could be complete compromise of the hypervisor by pushing compromised updates executed with root privileges (i.e. full control of everything).
Simply replacing "http" by "https" in the tutorial does not solve the issue. The certificate that is afterwards recovered during the TLS exchange
1°) is for another domain
2°) if accepted leads to an authentication request (paid subscription)
2°) when following both guides for proxmox 4 on debian 8 and proxmox 5 on debian 9, there is no indication of any way to check if the key that one installs to verify packages is the correct one.
see proxmox 4 on debian 8: https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_Jessie
see proxmox 5 on debian 9: https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_Stretch
Some people might simply blindly follow the tutorial (for which I'm grateful. I have not tested the pve5 on debian9 yet, but the other one works like a charm and I thank every contributor for that) and thus,
this could be an open door to MitM attacks. Impact of this attack could be complete compromise of the hypervisor by pushing compromised updates executed with root privileges (i.e. full control of everything).
It is however possible to dig deep into proxmox's website and look for the fingerprint.
However,
a) I cannot manage to find pve4's fingerprint anymore
b) pve5's can be found here: https://pve.proxmox.com/pve-docs/pve-admin-guide.html
c) but this seems to be a poor approach to security as I'm not convinced most people will look that far and the page could be deprecated, erroneous, etc.
3°) when reading the only information I've managed to find in https to check pve5's key, the checksum is provided using and md5 hash which has been considered cryptographically insecure for very long now.
see section 3.1.4 Secure Apt: https://pve.proxmox.com/pve-docs/pve-admin-guide.html
Suggestions:
A potential solution to this "questions" might be to update the 3 pages:
see proxmox 4 on debian 8: https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_Jessie
see proxmox 5 on debian 9: https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_Stretch
see section 3.1.4 Secure Apt: https://pve.proxmox.com/pve-docs/pve-admin-guide.html
and include instructions in all three to verify the key's fingerprint and SHA512SUM.
What do you think?
Kind regards,
J.