[Feature request] SSL and DNS over TLS at the system level for increased security

I have been experimenting MITM attacks for over 7 months and I have been forced to seriously analyze my configurations quite a few times for deficiencies and vulnerabilities.

I now believe that

  • consistent package signatures
  • mirrors that support https only
  • services like stubby (DNS over TLS)

are definitely a first step towards a better security that wipes an entire family of attacks out.

DNS over https has been suggested and promoted to solve this problem inside our browsers, but this partially solves the problem: other applications and services are still affected by the same vulnerabilities.

In my opinion, in fact, actively fighting DNS transparent proxies and spoofing, … at the system level is important to regain control of DNS, a prereq for a better internet, not just for our favorite browsers, but for any other service our computers are expected to provide us.

I’m not sure what you mean by that.

You can configure pacman-mirrors to only use HTTPS servers if you wish. See man pacman-mirrors:

-P, --proto, --protocols PROTO [PROTO] ...
              Write protocols to configuration, using all or http, https, ftp and ftps.

That’s up to you to configure on your own system.

See Security - ArchWiki for more details about hardening your system.

2 Likes

I’ve marked this answer as the solution to your question as it is by far the best answer you’ll get.

However, if you disagree with my choice, please feel free to take any other answer as the solution to your question or even remove the solution altogether: You are in control! (If you disagree with my choice, just send me a personal message and explain why I shouldn’t have done this or :heart: or :+1: if you agree)

:innocent:
P.S. In the future, please don’t forget to come back and click the 3 dots below the answer to mark a solution like this below the answer that helped you most:
Solution
so that the next person that has the exact same problem you just had will benefit from your post as well as your question will now be in the “solved” status.

About the mirrors:

@Fabby
@Yochanan

Yes, thanks.
I know that and I always run the -P https -a options before attempting any internet connection: I was just recently convinced that servers should always be simply reachable by https links because of the risk that the split (this is how it is called by some ISPs) might simply and quickly substitute any file that it sees… returning to the client a forged one, or more, automatically.

About stubby:

@Yochanan

Yes, I know that the user is in control, but I am now more than ever convinced that providing a default secure DNS by default would definitely improve the general security, for casual users as well.
Anyway, just after posting the Feature request I listened to the latest Security now! podcast and realized that TLS is and will be a problem too at least up to a future TLS 1.4… :frowning_face:

About Fabby’s PS: Sure! I will. :+1:

The problem is caching: if you’re in a remote village in Africa, you want your local ISP to cache a remote server through its proxy server to allow you to get fast local downloads. The move to HTTPS everywhere is disadvantaging the third world as they don’t have the infrastructure to reach globally for global repositories…

:man_shrugging:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.