[Bug 1461834] Re: 1024-bit signing keys should be deprecated
gordon-z
1461834 at bugs.launchpad.net
Sun May 7 18:35:45 UTC 2017
> This means a man-in-the-middle can gain root access, just by inserting their own version of one of the packages into this network traffic, because updates run as root. They can first obtain the public 1024 bit key from the PPA, then spend as long as they want working out the private key, then sign their false updates with the real private key.
>
> A bug that allows complete compromise of most Ubuntu machines without requiring any user involvement is a very serious bug. Why hasn't this even been assigned to anyone, nearly 2 years after it was reported?
I suppose people will be wondering why it wasn't fixed once a Snowden-
style leak drops showing that this vulnerability was exploited for
years.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1461834
Title:
1024-bit signing keys should be deprecated
Status in Launchpad itself:
New
Status in apt package in Ubuntu:
Confirmed
Bug description:
1024-bit RSA was deprecated years ago by NIST[1], Microsoft[2] and
more recently by others[3].
1024-bit signing keys are insufficient to guarantee the authenticity
of software distributed from Launchpad.net including PPAs. There
should be a mechanism to refuse signing keys below a minimum key
length based on key type. 1024-bit signing keys should be deprecated
and removed from Launchpad.net itself ASAP. Future projects and PPAs
should be disallowed from using 1024-bit signing keys.
1. http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf
2. http://blogs.technet.com/b/pki/archive/2012/06/12/rsa-keys-under-1024-bits-are-blocked.aspx
3. https://threatpost.com/mozilla-1024-bit-cert-deprecation-leaves-107000-sites-untrusted/108114
To manage notifications about this bug go to:
https://bugs.launchpad.net/launchpad/+bug/1461834/+subscriptions
More information about the foundations-bugs
mailing list