Google Chrome Repository Insecurity
From Whonix
Google Chrome Repository Insecurity[edit]
Summary[edit]
As per 14 March 2021
,
- Google wants you to install a weak cryptographic key (DSA key with only 1024 bits) as a Debian package manager APT key.
- Repository download happens over plain http without encryption/authentication (TLS) (https).
Source[edit]
Signing Key[edit]
As per 14 March 2021
, Google wants you to run the following command. (archived [archive])
wget -q -O - https://dl.google.com/linux/linux_signing_key.pub | sudo apt-key add -
This effectively results in installing a weak cryptographic key (DSA key with only 1024 bits) as a Debian package manager APT key.
What this does is using the wget
command line downloader to download an APT signing key and then using Debian's apt-key
utility to install the signing key to the system's APT keyring /etc/apt/trusted.gpg
. Sidenote: both apt-key
and /etc/apt/trusted.gpg
are deprecated by Debian [1] but that doesn't have a security impact here.
1) Download https://dl.google.com/linux/linux_signing_key.pub [archive]
2) View OpenPGP key information.
gpg --keyid-format long --import --import-options show-only --with-fingerprint linux_signing_key.pub
3) Will show.
pub dsa1024/A040830F7FAC5991 2007-03-08 [SC] Key fingerprint = 4CCA 1EAF 950C EE4A B839 76DC A040 830F 7FAC 5991 uid Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com> sub elg2048/4F30B6B4C07CB649 2007-03-08 [E] gpg: key 7721F63BD38B4796: 2 signatures not checked due to missing keys pub rsa4096/7721F63BD38B4796 2016-04-12 [SC] Key fingerprint = EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796 uid Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com> sub rsa4096/78BD65473CB3BD13 2019-07-22 [S] [expires: 2022-07-21]
The first key shows dsa1024
which means a DSA key with only 1024 bits.
In January 2011 the National Institute of Standards and Technology (NIST) stated, quote [archive]:
Disallowed after 2013
Google seems to agree with this assessment since their signing key file linux_signing_key.pub
already contains a newer key rsa4096
(RSA with 4096 bits). There is however no need whatsoever to still include the weak dsa1024
in the signing key file linux_signing_key.pub
.
Repository[edit]
1) Download https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb [archive] (archived google-chrome-stable_current_amd64.deb
[archive])
2) Extract or open with ark
the google-chrome-stable_current_amd64.deb
compressed archive file.
ark google-chrome-stable_current_amd64.deb
3) Extract or open control.tar.gz
a file inside the google-chrome-stable_current_amd64.deb
compressed archive file.
4) Open the file postinst
(the Debian package maintenance script by the google-chrome-stable_current_amd64.deb
Debian package).
5) Line 137
is:
REPOCONFIG="deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main"
6) Conclusion.
Using plain http instead of https (TLS).
Other sources showing using http instead of https:
Bug Reports[edit]
- Security: Chrome Linux (Debian) Package Repository using unauthenticated HTTP instead of authenticated HTTPS (TLS) [archive]
- Security: Debian Package Repository using unauthenticated HTTP instead of authenticated HTTPS [archive]
Related[edit]
- Chrome
- Chromium
- Dev/Chromium
- Dev/Kicksecure Default Browser
- Chromium Browser for Kicksecure Discussions (not Whonix) [archive]
Footnotes[edit]
- ↑
Quote https://blog.jak-linux.org/2021/02/18/apt-2.2/ [archive]
apt-key was made obsolete in version 0.7.25.1, released in January 2010, by /etc/apt/trusted.gpg.d becoming a supported place to drop additional keyring files, and was since then only intended for deleting keys in the legacy trusted.gpg keyring.
Whonix ™ is Supported by Evolution Host DDoS Protected VPS. Stay private and get your VPS with Bitcoin or Monero.
Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki
Want to make Whonix ™ safer and more usable? We're looking for helping hands. Check out the Open Issues and development forum.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.
Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)
The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.
Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].
Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.
By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.