Google Chrome Repository Insecurity

From Kicksecure
Jump to navigation Jump to search

Google wants you to install a weak cryptographic key (DSA key with only 1024 bits) as a Debian package manager APT key and downloads over plain http without TLS verification. Software download not protected by https (TLS).

Google Chrome Repository Insecurity[edit]

Summary[edit]

As per 14 March 2021,

  • Google wants you to install a weak cryptographic key (DSA key with only 1024 bits) as a Debian package manager APT key.
  • Repository download happens over plain http without encryption/authentication (TLS) (https).

Source[edit]

Signing Key[edit]

As per 14 March 2021, Google wants you to run the following command. (archivedarchive.org)

wget -q -O - https://dl.google.com/linux/linux_signing_key.pub | sudo apt-key add -

This effectively results in installing a weak cryptographic key (DSA key with only 1024 bits) as a Debian package manager APT key.

What this does is using the wget command line downloader to download an APT signing key and then using Debian's apt-key utility to install the signing key to the system's APT keyring /etc/apt/trusted.gpg. Sidenote: both apt-key and /etc/apt/trusted.gpg are deprecated by Debian [1] but that doesn't have a security impact here.

1) Download https://dl.google.com/linux/linux_signing_key.pubarchive.org

2) View OpenPGP key information.

gpg --keyid-format long --import --import-options show-only --with-fingerprint linux_signing_key.pub

3) Will show.

pub   dsa1024/A040830F7FAC5991 2007-03-08 [SC]
      Key fingerprint = 4CCA 1EAF 950C EE4A B839  76DC A040 830F 7FAC 5991
uid                            Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com>
sub   elg2048/4F30B6B4C07CB649 2007-03-08 [E]

gpg: key 7721F63BD38B4796: 2 signatures not checked due to missing keys
pub   rsa4096/7721F63BD38B4796 2016-04-12 [SC]
      Key fingerprint = EB4C 1BFD 4F04 2F6D DDCC  EC91 7721 F63B D38B 4796
uid                            Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>
sub   rsa4096/78BD65473CB3BD13 2019-07-22 [S] [expires: 2022-07-21]

The first key shows dsa1024 which means a DSA key with only 1024 bits.

In January 2011 the National Institute of Standards and Technology (NIST) stated, quotearchive.org:

Disallowed after 2013

Google seems to agree with this assessment since their signing key file linux_signing_key.pub already contains a newer key rsa4096 (RSA with 4096 bits). There is however no need whatsoever to still include the weak dsa1024 in the signing key file linux_signing_key.pub.

Repository[edit]

1) Download https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.debarchive.org (archived google-chrome-stable_current_amd64.debarchive.org)

2) Extract or open with ark the google-chrome-stable_current_amd64.deb compressed archive file.

ark google-chrome-stable_current_amd64.deb

3) Extract or open control.tar.gz a file inside the google-chrome-stable_current_amd64.deb compressed archive file.

4) Open the file postinst (the Debian package maintenance script by the google-chrome-stable_current_amd64.deb Debian package).

5) Line 137 is:

REPOCONFIG="deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main"

6) Conclusion.

Using plain http instead of https (TLS).

Other sources showing using http instead of https:

Bug Reports[edit]

Related[edit]

Footnotes[edit]

  1. Quote https://blog.jak-linux.org/2021/02/18/apt-2.2/archive.org

    apt-key was made obsolete in version 0.7.25.1, released in January 2010, by /etc/apt/trusted.gpg.d becoming a supported place to drop additional keyring files, and was since then only intended for deleting keys in the legacy trusted.gpg keyring.

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!