Tiny Core Linux
General TC => General TC Talk => Topic started by: ovacikar on March 04, 2024, 08:05:22 AM
-
Hello
Google Chrome is blocking downloads from tinycorelinux.net web site, for being insecure.If it was due to high cost of SSL Certificates in the past, letsenctypt offers free SSL certificates to my knowledge.
-
You can bypass that using key Keep.
(https://forum.tinycorelinux.net/index.php?action=dlattach;topic=26893.0;attach=6781)
-
This is ridiculous. SSL does not any way mean a download is secure...
-
Hi curaga
Sounds like poor wording. It's probably objecting because
the link on the Downloads page points to the repo which
needs to be http.
-
This is ridiculous. SSL does not any way mean a download is secure...
Just another part of security theater.
-
"Secure" has numerous definitions based on who you ask.
SSL simply encrypts data between two (or more) points - there have been US presidential candidates (no names need be mentioned :) ) who somehow thought just because something says SSL is SECURE doesn't mean the press isn't going to have a field day with your emails!
Encrypting publicly available downloads --- it's a pure WASTE of BANDWIDTH as SSL just adds fat to the download since the file itself is public domain. It's not a "secret!"
Encrypting downloads that contain personal content (ie: zip files or scanned images of your identification, banking records, etc.) WOULD be something you'd want to encrypt.
G00GLE wants to make everything online SSL-IDENTITY based when in fact, it's because of places like Let's Encrypt (free) that every crook on the planet can afford an SSL cert of their own, so what's the point of Chrome pretending there's "safe" anything :) Don't get me wrong, Let's Encrypt is awesome... but trying to force the planet into submission? Sounds an awful lot like the Shockwave/Flash demise to me!
@Curaga: If we HAD to comply... why not utilize mirror links which DO have SSL implemented? (https://distro.ibiblio.org/tinycorelinux/14.x/x86_64/release/CorePure64-14.0.iso (https://distro.ibiblio.org/tinycorelinux/14.x/x86_64/release/CorePure64-14.0.iso))
-
@CentralWare, thanks for taking the time to post that since there are many who don't understand the particulars.
-
While we're on this subject of secure..
What are the thoughts about adding signify, noting that there are various flavours (predominantly due to adding fields), for which we perhaps could choose OpenWRT usign (http://"https://openwrt.org/packages/pkgdata/usign") (which cost them a mere 11K when installed).
Recall that the computational overhead here would be minimal, the idea is that we can cryptographically verify a small file that is basically an hash+info of the extension. Once we know the hash is good, we assume that the file matching that hash is also good. OpenBSD (whom sanely rejected the idea that https solves everything in life) proved the idea is sound and inclusive to all (http://"https://www.openbsd.org/papers/bsdcan-signify.html"), OpenWRT's implementation isn't new (had eyeballs) and is invested in being small and lightweight.
The entire dance is probably even cheaper than a https handshake/exchange (and alleviates everyone from fears such as as today (http://"https://forum.tinycorelinux.net/index.php/topic,26888.0"), while even pre-preemptively swiping pro-https arguments off some potential table). Potential match made in heaven?
-
TC is a small, volunteer-based distro. While signing extensions would help detect a rogue mirror, it would imply many other kinds of security that would only be available in larger, corporate distros.
-
TC is a small, volunteer-based distro. While signing extensions would help detect a rogue mirror, it would imply many other kinds of security that would only be available in larger, corporate distros.
After giving this response considerable thought, I can't, for the life of me, come up with any other implied benefits, other than of course the purpose: that a man in the middle (like the public internet wifi access in a super market of cafe or numerous other places OR some Iranian govt (and similar)) can not trivially infect a tinycore instance, by *simply* passing it the wrong md5 and infected matching tcz extension.
For equivalent example, I also don't see any other implied security of openwrt (for example) using signify, while I assume one wouldn't run openwrt on their laptop in a cafe, like one would use your cloud-os tinycore.
What other implied security features did I not think of?
-
A signed extension implies the extension itself can be trusted. It would be trivial for a Jia Tan (see the recent xz news) to contribute a compromised extension, which would then be signed.
-
Thanks for your clarification. With the utmost respect (really), I'd personally only 'trust' the signify to show that I obtained the binary that is in the repository. After all, with the same xz example, that could still have been in our repo (if someone in good faith had compiled and submitted it).
A more 'glaring' bad extension would hopefully have more eyeballs (Not only the person that somewhat skimmed what was submitted, but also the other users (by usage) of the extension).
It would only guarantee that whatever is currently in the repo, is what I got, be it good, or bad.
Who knows, a fair poll could shed some light on what 'the masses' think about the subject. You may be very right that they would mis-perceive it's purpose (what it does, and doesn't add/do).
-
SSL certs are about more than just encrypting traffic. They help establish that the web server is run by the same organization who manages the DNS record. This lets you be reasonably assured your connection is not being man-in-the-middled.
This is particularly helpful when downloading an operating system, as with no HTTPS, it would be trivial to MitM and spoof the TC download site with a malicious installer.
IMO, it's pretty ridiculous that a site serving OS downloads isn't using HTTPS in the letsencrypt era.
-
Many of our mirrors offer https. If you worry about MITM, please download from those.
-
http vs. https is just the peek of the iceberg (MITM corruption).
Looking over the process to grab a package for Alpine Linux:
Here below in the context, package/application is equivalent of Tinycore TCZ.
1. For each CPU Architecture (ex: x86_64) they have an list (index) of the programs (like TCZ) that they offer. This list/index is SHA1 signed, it means that no alien contributions/packages (similar with TCZ) could arrive on the server (with different file size, time stamp, etc). Only from verified contributors.
2. Each TCZ/package is also SHA1 signed, to check if the package was modified during download.
3. In the package, each FILE is SHA1 signed (has PAX header in TAR segments), so even if the package was correctly downloaded, it can not be inside tampered (back doors).
FYI: Other advantages:
4. There is only one version of a library. Ex: if an application depends on some *.so (ex: ABC.so.10) when ABC is updated (to ABC.so.20) then ALL appls that depends on it will be also updated/recompiled. So the will be no case that a dependency of a dependency to drag both/multiple versions of ABC.so in a dependency tree. [or to load both like in tinycore when using FlaxPdf and Xpdf].
Minimalism/simplicity is not equivalent with security, but it helps a little by reducing attack surface and the possible bugs/back-doors.
-
Many of our mirrors offer https. If you worry about MITM, please download from those.
No, you can't get authentic link of mirror from a hijacked non-https website.
IMO, it's pretty ridiculous that a site serving OS downloads isn't using HTTPS in the letsencrypt era.
Indeed. This unnecessarily makes the website and even the OS itself less reliable.
Is there any reason tinycorelinux.net still isn't https, given that forum.tinycorelinux.net is https?
-
Many of our mirrors offer https. If you worry about MITM, please download from those.
No, you can't get authentic link of mirror from a hijacked non-https website.
There's a mirrors page on the Wiki (https://wiki.tinycorelinux.net/doku.php?id=wiki:mirrors), which uses HTTPS. But as it's a user-contributed wiki, there's no guarantee that the links are "authentic" anyway (same with the user-contributed extensions themselves).
Is there any reason tinycorelinux.net still isn't https, given that forum.tinycorelinux.net is https?
I wish the forums and wiki still allowed plain HTTP connections too (as well as HTTPS).
-
SSL certs are about more than just encrypting traffic. They help establish that the web server is run by the same organization who manages the DNS record. This lets you be reasonably assured your connection is not being man-in-the-middled.
This is particularly helpful when downloading an operating system, as with no HTTPS, it would be trivial to MitM and spoof the TC download site with a malicious installer.
IMO, it's pretty ridiculous that a site serving OS downloads isn't using HTTPS in the letsencrypt era.
About 30 years ago, your comment would have been somewhat true. VeriSign and the other leaders went to different lengths to have a proof-of-identity obstacle for users to burden themselves with to show the website visitors "Hey, this website SSL belongs to Joe Schmo"... Now-a-days, Verisign doesn't even DO SSL certificates from the looks of it!!!
...and for "who manages a site's DNS?" Do you really think I want Let's Encrypt to know who takes care of my DNS records??? Let alone have the PUBLIC know that???
Today, DNS is usually "managed" by Control Panel software and your web hosting company...
unless you're rich enough to own your own T1/OC3/Fiber and host your own network online.
THEN, you may actually... nope! Even then, things like Let's Encrypt still have NO CLUE who you are.
I have about 20 or so SSL certificates through Let's Encrypt.
Not a single one of the SSL certificates even knows my name or business name.
None of them know my (home/business) address.
I'm pretty sure even a phone number isn't mandated.
Why? They don't ask. They don't have to! They're encryption certificates! They don't care!
Why? I have a hosted server I'm thinking about at the moment that the Control Panel of the hosting company downloads and installs the L.E. SSL certificates virtually as easy as clicking a button. Oh, wait... I don't even have to click! It's automatic as soon as I tell it I want SSL for a given website.
Are my private details SHARED with Let's Encrypt in the process? Nope!
In fact, in the United States, it's ILLEGAL to share private details about someone without their expressed, written permission (Privacy Acts exist around the globe to some degree) to where even Domain Registrars have to offer domain privacy. Take TinyCore's website for example:
https://www.godaddy.com/whois/results.aspx?itc=dlp_domain_whois&domain=tinycorelinux.net
You'll notice Robert S. isn't listed on here, right? Nor are ANY of the Admins for that matter. Why? People in the States have become sticklers about "privacy" since the US slapped their own hands back in 1974 with the first real Privacy Act.
SSL certificates are used solely to create a secure connection between YOU (say, your browser) and a physical MACHINE somewhere out there so that when you type "Hello", it's scrambled into a mess of a long, LONG string of characters and sent through the Ether to the MACHINE out there where it's unscrambled and received. This process makes it very difficult for third party people to "look over your shoulder" (network monitoring) and see what you've sent. It has NOTHING to do with proving who YOU ARE... it's strictly used to prove what DOMAIN NAME you're connecting to - and not even as deep as the DNS settings of that domain!
Example: https://users.simplenix.com/forum/
Here's a dummy forum I've set out as bait for special kinds of ill-intended traffic.
Click on your browser's "shield", green button or means of displaying the website is SECURE.
Follow your browser's buttons/links until you can actually VIEW the SSL Certificate.
It specifically states "This website does not supply ownership information."
Inside the SSL, it specifically lists "users.simplenix.com" and "www.users.simplenix.com" as being the only allowed domain names to use this SSL.
(LOL) Firefox also says I've visited the SSL domain 1,141 times already this year... but doesn't tell me a thing about who I am, where I'm from, etc.
Nothing more. Nothing less. It's strictly an encryption protocol.
Now if you WANT your SSL to be Proof of Identity you can PAY for those features!!! See: https://www.ssltrust.com/ssl-certificates
This company charges $23/year just to put your business name on your SSL. (No, they don't actually PROVE it exists, it's legal, etc. - just that the NAME exists.)
As for my SSLs, that's 20 websites that claim to be "protected" and "trustworthy" based on your definition.
For Main-in-the-middle, that's easy to accomplish EVEN WITH SSL.
Example:
Let's say I create a website called TinyCare.net and set it up to look exactly like TCL - and get an SSL through Let's Encrypt which is effortless...
I then do some hacking magic and get into TCL's web server, forum server or wiki server OR better yet, one of the mirror repos out there...
I make some tweaks to the ISO installation images (mainly, changing /opt/tcemirror to point to CARE instead of CORE)
Easy Peasy! I'm now the Main in the Middle of an entire operating system... and the end users don't have a clue.
That is the most difficult example to accomplish - modifying the ISO images themselves - and it's still far from impossible.
This isn't a TCL thing... this is global. This is also why VeriSign and the others used to COST so much - there was actual HUMAN WORK involved.
@champignoom: Mirrors fetch content, whether it be by RSYNC, HTTP, HTTPS, FTP, etc. Many of these protocols do not use TLS (SSL), but regardless of whether they did or not is irrelevant -- it doesn't protect the DATA they're downloading.
None of the ISO files or extensions are "signed" and it's a waste of time signing things, as has been said.
For example, I'm a developer (programmer... coder... what ever you want to call it these days...)
I'm going to create a video game (the MOST POPULAR method of MiiM on cell phones and tablets to date!)
Once it's reasonably functional, I'm going to PUBLISH it. Voila'! It's signed!
Signed just means it came from ME. If you actually LOOK at some/many of these signatures out there, they use ALIAS INFORMATION and handles! Free-mail accounts for sending and receiving communications from the signature system, my first/last name being "Avid Hacker", my address being 12345 Somestreet, Everywhere, CA 90066 (I tend to use this kind of information when signing up for websites I don't trust - which is most!) and for those with a hint of 80's nostalgia my phone number is 888-867-5309.
So, as an end-user to "signed" files... you get what EVER I packaged into the mix - viral, or worse, all whilst thinking you're safe and cozy with SSL and/or Signed Software. The best part about it, if the package contains anything bad... it points back to a person that doesn't exist.
"Wait! There have to be some places that VERIFY who you are!?"
Do you really think Google has time (and money) to waste by verifying developers are who they claim to be?
They don't HAVE to. They let the PUBLIC determine who's naughty and who's nice - and the naughty get banned after the fact. After the damage is done.
...and the email address another_junk_email_account@gmail/yahoo/hotmail/etc.com and fake google voice phone number get deleted and there's no trace Avid Hacker even existed in the first place and they create another persona and do it all again.
My job is to DETECT scams, back doors, etc. so I have to be educated on how it's done in the first place. (Means... I have a wee clue of what I'm talking about! :) )
The CONCEPT of how Tiny Core Linux manages their repo is reasonably sound. Only the Admins, that I'm aware of, have access to the ISO files and their creation.
EXTENSIONS, which are easily compared to APK apps on Android or even "Software Applications" on Windows, are community driven 99.something% of the time. This means that the quirky media player you downloaded could have come from virtually anywhere (thus READ the INFO FILE before DOWNLOADING ANYTHING from ANYWHERE! At very least to see where it came from.)
YOU can create a document, script, all the way up to a full-fledged application and YOU can submit it to TCL and with a quick scan of the content, if they feel it IS what you SAY it is, they'll post it for all others to see/use. They don't TEST every extension/application themselves - but neither does Ubuntu, Red Hat... Apple... Microsoft... nor can they be expected to.
Google doesn't TEST APKs submitted to the Play Store - YOU do.
Microsoft surely doesn't TEST anything on their store, the department stores, etc. YOU do.
TinyCore cannot be expected to hire people to TEST everything, either. Again... community driven.
If you want SAFETY:
- Never download anything from anyone you did not personally create - everyone else introduces risk (even Microsoft, Apple, etc. - nothing is "infallible!")
- HTTP versus HTTPS is for Point to Point encryption. If you're BANKING, you want the stuff you send/receive to be utterly USELESS to anyone ELSE that sees it - that's SSL's purpose in life. If you're downloading a picture of the Great Lakes that was shared with the world by a lucky photographer who felt generous to share, or a snap-shot you took in high school you posted on Face*ook , why encrypt it? If someone ELSE were to see it... what harm does it cause? It's already public!?!? So are the TCL mirror files.
- If you're worried about being hacked, or someone is watching you through your own web camera... unplug the computer and walk away... WiFi signals CAN be transmitted through the electrical lines!!! (actual fact.) For everyone else, educate yourselves on the REAL meaning of things (like SSL, Software Signatures, etc.) so you can sound intelligent in a conversation AND so you know what lines exist - and which not to cross.
- If you want SAFETY: "Don't run with scissors." "Always use protection." "Steer clear of a stampede."
- Utilize Common Sense... but BASE IT on FACT, not assumption.
Admins: For sake of never having to repeat myself, please trim this post as you see fit and post it on the Wiki so it's easy to reference here-out.
SSL: Secure Sockets Layer, a former standard security technology, deprecated in June 2015, for establishing an encrypted link between a server and a client (TLS has pretty much replaced SSL, but we still USE THE TERM "SSL" because the name's been around for so long.)
Key Concepts:
Certificate Authority (CA): A trusted third party responsible for issuing and verifying digital certificates.
Public Key Infrastructure (PKI): The framework—comprising public and private keys—that facilitates secure electronic transfer of information.
Encryption: Scrambles data in transit, ensuring that even if intercepted, it cannot be read without the corresponding key.
However, Google's AI reads:
An SSL (Secure Sockets Layer) certificate is a digital document that authenticates a website's identity and enables an encrypted connection. Although the technology was officially superseded by TLS (Transport Layer Security), the industry still uses the term "SSL". It acts as an electronic passport, verifying that a user is communicating directly with the intended server and protecting data from interception.
which is potentially misleading as it states it "authenticates a WEBSITE'S IDENTITY" where I imagine some people are misconstruing this as a PERSON'S IDENTITY, as the identity in question was shown in the above simplenix example.
LMAO! Not even https://microsoft.com SSL certificate has "ownership information" -- and it's SELF SIGNED, so THEY are the CA to their own website(s) - they're the cop, balif, judge and jury all in one! :) It's a business level certificate (OV) (which costs them nothing extra since they're the CA, too) which just states they're supposed to be located in Redmond, WA, US - and that's it.
DO NOT post a link to wiki/SSL... dozens of possible uses for the acronym "SSL" including "Sesame Street Live!"
Instead, use: https://en.wikipedia.org/wiki/Transport_Layer_Security#SSL_1.0,_2.0,_and_3.0 (https://en.wikipedia.org/wiki/Transport_Layer_Security#SSL_1.0,_2.0,_and_3.0)
-
Hi CentralWare
Congratulations, you've been added to the Wiki Author group which
now allows you to edit the Wiki.
-
@CentralWare: Congratulations for your last intervention. You make my day! :-* I vote that it should be pinned as common knowledge/expectations.
-
LOL! It wasn't my initial intention, but there's about a hand-full of topics that truly get under the skin when it comes to the massive amounts of misinformation spreading around the 'web that leaves one to wonder "...how did it ever get this bad?" :)
Okay, let me get this "AI" project/setup nipped in the bud and I'll check in with Doku-Wiki and say "Hi!" to the ol' beast. Possibly this upcoming weekend (?) I'd imagine a lot has changed since my "retirement" so I'll P/M with any questions!
@nick65go: Thanks, I aim to please! Pinning it won't make believers - or even get the masses to read it, BUT with the help of moderators and helpful souls such as yourself, spreading truth is easy - and the post(s) will just be a collective gathering of facts (with links to follow for the true disbelievers!) and possibly a few analogies to make things more "visual" for those such as myself who learn/believe by experiencing and/or visualizing. I'm not planning to write "memoirs before the web," my almost-eight-year-old already associates me with the Jurassic era... but a few high valued topics won't hurt.
@Rich: GEE... thanks! (I can see you now... laughing to yourself, saying "...better you than me!")
Take care, amigos!
-
Hi CentralWare
... @Rich: GEE... thanks! (I can see you now... laughing to yourself, saying "...better you than me!")
Sorry, every now and then I like to have some fun at
someone else's expense. :)
-
@Rich: It's all good... if anyone around here is allowed get away with that, it's you! Within reason! :D
TO EVERYONE: I had an epiphany yesterday while I talked with my wife after supper...
I said to her "...I've always had a photographic, 'visual' memory, it's how I've been able to retain even little details most everyone else misses..."
Then I said, "...wow... that explains so much..."
She said, "What's that?"
I replied "Getting old sucks! Especially now that my sight isn't half as good as it was a few years ago!"
It took a second, then she bolted into laughter realizing for some of us, seeing is everything! When you can't see, though... you go senile!
-
... Getting old ...
*random thoughts after reading this thread*TM
https://en.wikipedia.org/wiki/Soylent_Green
https://en.wikipedia.org/wiki/Expiration_date
https://en.wikipedia.org/wiki/Unsafe_at_Any_Speed
https://en.wikipedia.org/wiki/Timeline_of_human_sacrifices
https://en.wikipedia.org/wiki/Voluntary_Human_Extinction_Movement
https://www.linkedin.com/pulse/what-situational-awareness-actually-why-most-people-teach-nhdzc
https://www.reddit.com/r/OCD/comments/nd3em3/does_anybody_else_experience_disjointed_thoughts/
ymmv/yolo/etc
-
i would see some positive in it, too
your imagination may still be visual and your creativity might not need much of the distraction of this world that is moving way too fast, unimpeded by stuff around us getting worse in the real-world you might use your creativity to envision a better future, so far removed that nobody else can do it :)