Docker-alpine: Security Warning: apk packages over unsecure http

Created on 11 Dec 2017  路  2Comments  路  Source: gliderlabs/docker-alpine

Hi Alpine Team,

thanks for the great work you done for the Open Source Community!
I was just making an PR to the docker-bench-security project and saw this:

sed -i 's/http\:\/\/dl-cdn.alpinelinux.org/https\:\/\/alpine.global.ssl.fastly.net/g' /etc/apk/repositories

Also in the latest Alpine Version 3.7 /etc/apk/repositories is configured to query over unsecure http:

http://dl-cdn.alpinelinux.org/alpine/v3.7/main
http://dl-cdn.alpinelinux.org/alpine/v3.7/community

Trying to get it over https in the Browser even throws a certificate warning: https://dl-cdn.alpinelinux.org/alpine/v3.7/main.

To solve this problem i would recommend to redirect all http calls to https on the server side or even enforce HSTS and then update /etc/apk/repositories to use https with the next release.

security

Cheers Maik

question
Source
picture ellerbrock
👎2 👍2

Most helpful comment

The value of https is small for apk repositories and may give a false sense of security. We have a number of mirrors which are hosted by people we don't trust, nor have we any control over the fastly cache servers, so anyone with access to those servers could modify the apk files. https would not protect you against that.

apk will verify the package against a signature embedded in the apk file, so it does not really matter that it is transferred over http.

But I don't mind using https if fastly (or someone else) is willing to burn cpu cycles on it, even if it does not add any security of significance.

picture ncopa on 28 Dec 2017
👍5

All 2 comments

The value of https is small for apk repositories and may give a false sense of security. We have a number of mirrors which are hosted by people we don't trust, nor have we any control over the fastly cache servers, so anyone with access to those servers could modify the apk files. https would not protect you against that.

apk will verify the package against a signature embedded in the apk file, so it does not really matter that it is transferred over http.

But I don't mind using https if fastly (or someone else) is willing to burn cpu cycles on it, even if it does not add any security of significance.

ncopa picture ncopa on 28 Dec 2017
👍5

apk will verify the package against a signature embedded in the apk file, so it does not really matter that it is transferred over http.

@ncopa can you provide more details on the signing process? How is this signature generated?

stefancrain picture stefancrain on 13 Dec 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

oarmstrong picture oarmstrong  路  4Comments
javixeneize picture javixeneize  路  4Comments
konradjurk picture konradjurk  路  5Comments
robinmonjo picture robinmonjo  路  4Comments
IdanAdar picture IdanAdar  路  4Comments