Google Chrome Repository Insecurity
Google wants you to install a weak cryptographic key (DSA key with only 1024 bits) as a Debian package manager APT key and downloads over plain http without TLS verification. Software download not protected by https (TLS).
Google Chrome Repository Insecurity[edit]
Summary[edit]
As per 14 March 2021
,
- Google wants you to install a weak cryptographic key (DSA key with only 1024 bits) as a Debian package manager APT key.
- Repository download happens over plain http without encryption/authentication (TLS) (https).
Source[edit]
Signing Key[edit]
As per 14 March 2021
, Google wants you to run the following command. (archived)
wget -q -O - https://dl.google.com/linux/linux_signing_key.pub | sudo apt-key add -
This effectively results in installing a weak cryptographic key (DSA key with only 1024 bits) as a Debian package manager APT key.
What this does is using the wget
command line downloader to download an APT signing key and then using Debian's apt-key
utility to install the signing key to the system's APT keyring /etc/apt/trusted.gpg
. Sidenote: both apt-key
and /etc/apt/trusted.gpg
are deprecated by Debian [1] but that doesn't have a security impact here.
1) Download https://dl.google.com/linux/linux_signing_key.pub
2) View OpenPGP key information.
gpg --keyid-format long --import --import-options show-only --with-fingerprint linux_signing_key.pub
3) Will show.
pub dsa1024/A040830F7FAC5991 2007-03-08 [SC] Key fingerprint = 4CCA 1EAF 950C EE4A B839 76DC A040 830F 7FAC 5991 uid Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com> sub elg2048/4F30B6B4C07CB649 2007-03-08 [E] gpg: key 7721F63BD38B4796: 2 signatures not checked due to missing keys pub rsa4096/7721F63BD38B4796 2016-04-12 [SC] Key fingerprint = EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796 uid Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com> sub rsa4096/78BD65473CB3BD13 2019-07-22 [S] [expires: 2022-07-21]
The first key shows dsa1024
which means a DSA key with only 1024 bits.
In January 2011 the National Institute of Standards and Technology (NIST) stated, quote:
Disallowed after 2013
Google seems to agree with this assessment since their signing key file linux_signing_key.pub
already contains a newer key rsa4096
(RSA with 4096 bits). There is however no need whatsoever to still include the weak dsa1024
in the signing key file linux_signing_key.pub
.
Repository[edit]
1) Download https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb (archived
google-chrome-stable_current_amd64.deb
)
2) Extract or open with ark
the google-chrome-stable_current_amd64.deb
compressed archive file.
ark google-chrome-stable_current_amd64.deb
3) Extract or open control.tar.gz
a file inside the google-chrome-stable_current_amd64.deb
compressed archive file.
4) Open the file postinst
(the Debian package maintenance script by the google-chrome-stable_current_amd64.deb
Debian package).
5) Line 137
is:
REPOCONFIG="deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main"
6) Conclusion.
Using plain http instead of https (TLS).
Other sources showing using http instead of https:
Bug Reports[edit]
- Security: Chrome Linux (Debian) Package Repository using unauthenticated HTTP instead of authenticated HTTPS (TLS)
- Security: Debian Package Repository using unauthenticated HTTP instead of authenticated HTTPS
Related[edit]
- Chrome
- Chromium
- Dev/Chromium
- Dev/Default Browser
- Chromium Browser for Kicksecure ™ Discussions (not Whonix)
Footnotes[edit]
- ↑
Quote https://blog.jak-linux.org/2021/02/18/apt-2.2/
apt-key was made obsolete in version 0.7.25.1, released in January 2010, by /etc/apt/trusted.gpg.d becoming a supported place to drop additional keyring files, and was since then only intended for deleting keys in the legacy trusted.gpg keyring.