Untrusted software and security click-through warnings

[João Pinto]

Hello,
I am the project founder and project manager of a software portal created to
provide the latest software for the current released Ubuntu version.
http://www.getdeb.net

First let me introduce our project:

Team:
We about 6 volunteer active members, some are also Ubuntu/Debian package
contributors, some others are just open source and Ubuntu supporters like
myself.

Software distribution:
The software is being published using links to .deb files (thanks to gdebi).
Every day we are providing >5000 downloads, 100 GBs distributed over 10
mirrors.
We have about 6000 registered users, our current work queue is 40 packages
(new software plus updates).

Failures:
We have provided about 4 failed packages in 400 releases, 2 of them have
overwritten the user's mime database, the other's where failed package
installs. The failed installations could be rolled back with "Remove
program" "Add Program"

Internationalization:
The site template is translated into 27 languages (some with missing
strings), we have 887 applications descriptions translations.

Users feedback:
You can check the comments for yourself, besides that you can also check
what people say about us on their blogs.

Security:
We do not distributed third party provided .deb packages, all of our
packages are built on an automated building server, validated and uploaded
after our base QC. Our current risk resides on the distributed nature of our
mirrors, there is an higher potential risk of system compromising, we have
minimal integrity validation, but not sufficient from a security point of
view. This our current main concern and driving factor for an APT mirror
adoption, however there are some limitations and/or lack of know-how to
setup an APT mirror and select a proper system and client configuration that
can keep our current high availability and user-oriented software
distribution model.

I agree with some of  your points, but not with others, anyway your note was
a notification, not a request for comments.
I do not know if you decision will actually block malicious users, malicious
users take more advantage of those users which are not security aware, or
which are just desperate to get some software,

Your decision will have a major impact on our team objectives and work plan
on the short term, which may be a significant impact to the Ubuntu/Getdeb
users community on the long term.

Is there a plan with dates for this changes to be implemented ?

Thank you

Message: 1
Date: Fri, 28 Sep 2007 15:56:31 +0100
From: Ian Jackson < iwj at ubuntu.com>
Subject: Untrusted software and security click-through warnings
To: ubuntu-devel at lists.ubuntu.com
Message-ID:
       <18173.5663.835956.688760 at davenant.relativity.greenend.org.uk >
Content-Type: text/plain; charset=us-ascii

We had an IRC discussion during the Desktop Team Meeting on
#ubuntu-devel about apt+http://foo.bar?package=baz (which might add
new repositories such as PPAs).  This turned into a long discussion of
the merits of various security considerations and convenience
tradeoffs.  I said I'd post here about it.  What follows is very much
my personal view but I think the conclusions are inevitable.


Firstly, I would assert that we are largely responsible for the
security of Ubuntu users' systems:

We cannot assume that our users are sufficiently knowledgeable and
experienced to know what is and is not an acceptable risk to take.  We
must ensure that naive users following the obvious path to get their
work done are not led into error.


Secondly, click-through "get this task done" security warnings are
harmful:

It is well established through research (and I'm sure through the
personal experience of most of us here) that systems which pop up
dialogues which essentially ask the user "so do you actually want to
do what you just asked me to" are useless.  The user will almost
inevitably just say "yes" without reading any of the text.

It has been argued in the past that these dialogues are useful to
some power users, who know what they really mean.  Perhaps this is
so.  However, the point of Ubuntu is to make computing accessible to
everyone - not just experts.  And a computer which leads a user astray
is not accessible to that user.

Therefore these dialogues should be abolished.  In cases where the
dialogue is there to ask the user to permit a dangerous operation, the
system should be reworked so that either
 1. the operation is made less dangerous (so that it can be safely
   done without prompting), or so that
 2. the operation can only be requested by much more explicit action
   by the user (not by some third party!) so that no further
   confirmation is needed.


Thirdly, the Internet is full of malicious people who would like to
install software on our users' computers.

This is less true now than it will be in (say) 5 years' time.  The
main thing which is holding back the deployment of malware against our
users is that we are not currently as juicy a target as M$'s systems.
When Ubuntu is as popular as Windows, our users will have many of the
same problems that Windows users do now.

The reason for this is that we have been inheriting (sometimes via
third parties) the idea that it is acceptable to go to a website, find
you need to install some software to use it, and then install that
software provided by that website - and the idea that it is a sensible
thing for a user to look for zero-cost software via a search engine
and then just install it.

All of us experts here know that this isn't a good way to proceed.
But our users don't.  For these reasons, it is up to us to do better.


Conclusion: Ubuntu systems should not provide a smooth `click through'
route to the installation of untrustworthy software.

Untrustworthy software includes all software which we don't have some
reason to trust.  This means:

 * No click-through installation of downloaded .debs
 * No click-through addition of arbitrary apt repositories or keys
 * No click-through installation of arbitrary browser plugins
 * No click-through addition of PPAs without further policy controls

What _is_ OK is:

 * Yes, click-through installation of .debs already in Ubuntu
 * Yes, click-through installation of browser plugins provided in Ubuntu
 * Yes, click-through installation of media codecs provided in Ubuntu
 * Yes, click-through addition of PPAs whose uploaders we bless
   and for which someone will provide security support

There should be some kind of click-through here because installing
software is a significant step: it consumes time and bandwidth and may
make the system less stable.  We need to keep the user informed so
they know what they're waiting for and give them the opportunity not
to have their work interrupted by the download and installation
process.  Note that the click through serves the user's convenience,
not their security.


What might also be OK is selectively permitting the installation of
software from third parties that we have the right kind of
relationship with.  We would have to think about what the criteria
might be, but here is a starting point:

 * The third party would have to agree in a legally binding way to
  uphold and not subvert the user's rights on their own computer;
 * The third party would have to commit to provide security updates,
  where necessary, within a defined timeframe.
 * The list of approved third parties should be provided by Ubuntu and
  programmatically enforced by the software;
 * We should be able (both contractually and technically) to
  withdraw/revoke such a third party permission if they turn out
  in our opinion not to take our users security and privacy
  seriously;
 * We should think carefully about the user interface for enabling a
  particular third party, which ought to be an explicit step;
 * We should consider the position of users who have already approved
  a particular third pary source which we have revoked -
  specifically, we should consider what actions of ours would be in
  the best interests of those users.


What is of course also necessary is an ability for power users to
specify additional third-parties without any blessing from Ubuntu.
However *this facility must not to be accessible to naive users*.

In particular, it *must not be possible* for a third party to invoke
such a UI via eg a website, incoming email, video file, or whatever.


We can't stop third parties writing on their website

 "Now go to   Settings / Advanced / Trusted Software Sources
  and select   Add Absolute URL
  and paste in   http://malware.example.com/ubuntu/
  say `confirm' to the security warning and enter your pasword"

or

 "Select  Applications / Accessories / Terminal
  In the window type
    sudo apt-add-untrusted-repository --force-security-override
http://malware.example.com/ubuntu/
  and type in your password when prompted."

but even a naive user can be expected to smell a rat there.

On the other hand if the third party can say

 "Your browser does not support Frobnication.
  [Click here] to install it"

the user will click and probably say yes to the confirmation question
and enter their password when prompted.  So we have to prevent that.


I realise that this may involve changes to some of our existing
software, which doesn't always adhere to the principles above, and it
will cause some pain.  I'm sure it will cause howls from those power
users who are wedded to their favourite firefox extensions and feel
that all users should have an easy route to installing them.

But the alternative is that in 5 years' time our users' systems will
be malware-infested nightmares.

Or to put it another way: the point of Ubuntu is to give users control
over their own computers - that is, Freedom.  Our job includes
defending that control against those who would risk it in the name of
temporary convenience.


Thanks for your attention.

Ian.

-- 
João Pinto
GetDeb Package Builder
http://www.getdeb.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20070928/3c8ad35f/attachment-0001.htm