One of the fun things about working in computer security is the emotional rollercoaster that vendors and journalists use to try to sustain attention on security topics, get dollars spent, and get bugs fixed. “If this patch isn’t applied immediately, then the earth will be hit by asteroids and we are all going to DIE!” “If you don’t buy this security product, then your network will be hacked and you will be FIRED!”
With that said, there is one security anti-pattern that really must die an immediate death. I promise not to name and shame, but if you are doing this, please stop immediately, especially if you are doing it with a security package.
The issue at hand is the damage caused when users follow instructions similar to the following
“1. Install the apt-get repository key:
# apt-key adv –fetch-keys http://<removed to protect the guilty>/repos/apt/conf/<removed>.key
A pattern closely related to the above:
“$ wget http://<url removed>/<removed>.key | sudo apt-key add –
While I’m off crying softly in the corner — LOOK OUT FOR ASTROIDS! You can read calm and well reasoned arguments for why this (and its cousin where the key is acquired over http via wget) is such a bad practice on StackExchange and in the Debian manual. Hint, from this point forward the database of keys which are used to validate packages prior to installation and update can no longer be trusted to contain only non-malicious keys.
Once you have recovered from the shock of awareness of what you have done to anyone who was foolhardy enough to follow your instructions, head over to Let’s Encrypt to get an SSL certificate. Also, publish the key’s figerprint along with instructions for users on how to validate the key.
If you see this pattern online or if you are working on an open source project which uses this anti-pattern, please feel free to drop me a line at eratliff at linuxfoundation dot org or ejratl at gmail dot com.