Google Chrome Repository Insecurity
Donate
Google wants you to install a weak cryptographic key (DSA key with only 1024 bits) as a Debian package manager APT key and downloads over plain http without TLS verification. Software download not protected by https (TLS).
Google Chrome Repository Insecurity[edit]
Summary[edit]
As per 14 March 2021,
- Google wants you to install a weak cryptographic key (DSA key with only 1024 bits) as a Debian package manager APT key.
- Repository download happens over plain http without encryption/authentication (TLS) (https).
Source[edit]
Signing Key[edit]
As per 14 March 2021, Google wants you to run the following command. (archived
)
wget -q -O - https://dl.google.com/linux/linux_signing_key.pub | sudo apt-key add -
This effectively results in installing a weak cryptographic key (DSA key with only 1024 bits) as a Debian package manager APT key.
What this does is using the wget command line downloader to download an APT signing key and then using Debian's apt-key utility to install the signing key to the system's APT keyring /etc/apt/trusted.gpg. Sidenote: both apt-key and /etc/apt/trusted.gpg are deprecated by Debian [1] but that doesn't have a security impact here.
1) Download https://dl.google.com/linux/linux_signing_key.pub
2) View OpenPGP key information.
gpg --keyid-format long --import --import-options show-only --with-fingerprint linux_signing_key.pub
3) Will show.
pub dsa1024/A040830F7FAC5991 2007-03-08 [SC]
Key fingerprint = 4CCA 1EAF 950C EE4A B839 76DC A040 830F 7FAC 5991
uid Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com>
sub elg2048/4F30B6B4C07CB649 2007-03-08 [E]
gpg: key 7721F63BD38B4796: 2 signatures not checked due to missing keys
pub rsa4096/7721F63BD38B4796 2016-04-12 [SC]
Key fingerprint = EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796
uid Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>
sub rsa4096/78BD65473CB3BD13 2019-07-22 [S] [expires: 2022-07-21]
The first key shows dsa1024 which means a DSA key with only 1024 bits.
In January 2011 the National Institute of Standards and Technology (NIST) stated, quote:
Disallowed after 2013
Google seems to agree with this assessment since their signing key file linux_signing_key.pub already contains a newer key rsa4096 (RSA with 4096 bits). There is however no need whatsoever to still include the weak dsa1024 in the signing key file linux_signing_key.pub.
Repository[edit]
1) Download https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb (archived google-chrome-stable_current_amd64.deb)
2) Extract or open with ark the google-chrome-stable_current_amd64.deb compressed archive file.
ark google-chrome-stable_current_amd64.deb
3) Extract or open control.tar.gz a file inside the google-chrome-stable_current_amd64.deb compressed archive file.
4) Open the file postinst (the Debian package maintenance script by the google-chrome-stable_current_amd64.deb Debian package).
5) Line 137 is:
REPOCONFIG="deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main"
6) Conclusion.
Using plain http instead of https (TLS).
Other sources showing using http instead of https:
Bug Reports[edit]
- Security: Chrome Linux (Debian) Package Repository using unauthenticated HTTP instead of authenticated HTTPS (TLS)
- Security: Debian Package Repository using unauthenticated HTTP instead of authenticated HTTPS
Related[edit]
- Chrome
- Chromium
- Dev/Chromium
- Dev/Default Browser
- Chromium Browser for Kicksecure ™ Discussions (not Whonix)
Footnotes[edit]
- ↑
Quote https://blog.jak-linux.org/2021/02/18/apt-2.2/
apt-key was made obsolete in version 0.7.25.1, released in January 2010, by /etc/apt/trusted.gpg.d becoming a supported place to drop additional keyring files, and was since then only intended for deleting keys in the legacy trusted.gpg keyring.
At
Kicksecure we believe in freedom and trust. That's why we fully support Open Source and Freedom Software.
Kicksecure ™ is supported by Evolution Host DDoS Protected VPS.
ENCRYPTED SUPPORT LP,
2023