secure https downloads via DANE

The problem about todays internet is that secret services like the NSA are spoofing important sites for administrators and for people who want to download open source software. The spoofed site looks like the real site but it can contain malware to infect your computer. Usually downloads are encrypted by https and the server identifies itself by a so called certificate. If the server has the right certificate you are very likely connected to the real server except the private key for encryption would have been stolen. The NSA mirror sites use rogue certificates. Today certificates are signed and thus verified to be authentic by so called certification authorities. However a very lot of these companies are corteous to secret services and issue rogue certificates for them to spoof important sites. The way out is not to use certification authorities (CAs) but to let the domain owner sign a hash of the server certificate, a method which is called DANE. As far as we could test it this is a very secure way to authenticate the connection to the server. Dozens of people who had not even received my emails in the spam folder before suddenly replied when I configured Firefox to only trust a few hand picked server certificates verified via DANE. If you want to learn how to set up a secure browsing/emailing terminal read the general site about DANE. Here all is about securing downloads with DANE by a new tool called atea.

If you have downloaded a distribution like Debian you have certainly verified the result against the respective SHA512SUMS file from cdimage.debian.org. Downloading this file anonymously via tails/tor may be quite safe for a current distribution as with tor they will not know whose download is spoofed. However for less frequently downloaded content a secure server authentication may be deemed mandatory. Luckily the server cdimage.debian.org supports DANE. The only thing you should need to do now is to download the SHA512SUMS file with atea. You will not even need to boot tails. The computer from which atea is invoked should be a clean one however. One possibility to get a clean system for atea is deblive.

To compile atea you need libunbound-dev, libssl-dev and pkg-config. Libunbound is the library used for DANE. The second thing you need to care about is that you have an /etc/resolv.conf with nameservers that support DNSSEC/DANE. Such nameservers are f.i. and from Cloudflare. If you want to keep your default nameservers you can create a file called /etc/resolv.conf.DANE which is only used to retrieve the TLSA resource record which contains the hash of the server certificate. Another issue for atea is on how to find the public keys to verify the resource record signatures. The default is like --sys-keyfile which uses the system wide keyfiles. For distributions like openSUSE where there are no system wide keyfiles --ub-keyfile is a fallback to use the unbound library specific keyfiles.

$ atea tii https://www.elstel.org/auxil/estellnb-offline.pubkey.asc $ atea tii -v https://cdimage.debian.org/debian-cd/10.3.0/amd64/jigdo-dlbd/SHA512SUMS TLSA record (first three bytes are for TLSA-mode): 03:01:01:0c:8e:2d:2b:49:50:6b:cc:77:f7:70:5d:ee:69:fe:a2:30:93:55:5e:88:a2:68:4c:79:8b:8c:e1:84:2b:32:6f hash of the server certificate: 7d:86:1f:c8:c6:d0:54:ec:74:81:3e:c4:0d:7e:14:45:50:1f:0d:0a:50:11:f1:44:bf:85:cc:6e:2f:8f:cd:ee certificate signature in TLSA record did not match (https://cdimage.debian.org/debian-cd/10.3.0/amd64/jigdo-dlbd/SHA512SUMS) $ atea tii-cert https://www.debian.org server cert written to 'www.debian.org.pem'. $ atea tii --cert www.debian.org.pem --to index.html https://www.debian.org $ ls -l index.html -rw-r--r-- 1 user user 14412 Feb 16 14:50 index.html

The samples from above show how to download with atea and what happens if a site is spoofed. If you give the -v option then the certificate hash of the spoofed site and the expected certificate hash are returned in case of failure. If you want to back up a good certificate for the case that DANE should some time be slow or unavailable then you can download a certificate file with tii-cert and later on use it by the --cert option. Downloading the certificate .pem-file for later use is always a good idea since pure downloads with tii are as stable and solid as the openSSL library. If libunbound needs to be executed to retrieve the hash of the desired certificate before the download can start this may introduce some instability due to buggy behaviour of libunbound. The site about DANE also gives other methods to securely retrieve a server certificate with dig or drill if you do not want to use tii-cert.

It may be a problem if a site is spoofed because atea can detect this via DANE but it can not undo the spoofing. Try to download the file via a VPN in such a case. vpngate-extract from /software can be used to connect to a free VPN. If that should not help complain at your internet provider that you want free and uncensored access to the web or download the spoofed certificate with the -r option and send it to the maintainer of the download server. It is a fraud if a certification authority issues rogue certs. The server maintainer will miss the spoofed accesses in the server logs.

$ atea tii-cert https://mail.dotplex.de server cert written to 'mail.dotplex.de.pem'. $ atea tii --cert mail.dotplex.de.pem --to index.html https://mail.dotplex.de 301 Moved Permanently Location: https://mail.dotplex.com/ $ atea tii --to index.html https://mail.dotplex.com saved as 'index.html.1'. $ atea tii -hs https://www.debian.org/ >/dev/null HTTP/1.1 200 OK Date: Sun, 16 Feb 2020 15:06:18 GMT Server: Apache Content-Location: index.en.html Vary: negotiate,accept-language,Accept-Encoding,cookie TCN: choice X-Content-Type-Options: nosniff X-Frame-Options: sameorigin Referrer-Policy: no-referrer X-Xss-Protection: 1 Strict-Transport-Security: max-age=15552000 Last-Modified: Sun, 16 Feb 2020 11:27:13 GMT ETag: "384c-59eafb85b66ad" Accept-Ranges: bytes Content-Length: 14412 Cache-Control: max-age=86400 Expires: Mon, 17 Feb 2020 15:06:18 GMT X-Clacks-Overhead: GNU Terry Pratchett Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html Content-Language: en

The above code shows what happens in case of a http redirect: You need to reissue the command with the new target URL. The author has programmed it like this since another domain may require another certificate file. The last example shows how to output the http headers to stderr with the -h option. The -s option pipes the file content to stdout which is here simply discarded by redirection to the bit sink. More options can be found in the manual page of atea

$ atea tii-cert -rI https://www.elstel.org certificate signature in TLSA record did not match (https://www.elstel.org) server cert written to 'www.elstel.org-rogue.pem'. $ openssl x509 -in www.elstel.org-rogue.pem -noout -subject subject=CN = web4.dotplex.com $ atea tii-cert -I https://web4.dotplex.de server cert written to 'web4.dotplex.de.pem'. $ atea tii -I https://www.elstel.org/auxil/estellnb-offline.pubkey.asc certificate signature in TLSA record did not match (https://www.elstel.org/auxil/estellnb-offline.pubkey.asc) $ atea tii --cert web4.dotplex.de.pem -I https://www.elstel.org/auxil/estellnb-offline.pubkey.asc

One thing we have not talked about yet is SNI: Server Name Indication. The server name is normally sent in plain text before an encrypted SSL connection is established. This is necessary because one server may use different certificates for different domains. However you can switch that behaviour off with the -I option. Take care. If you use -I atea may report that the certificate is wrong because it got the default server certificate instead of the certificate of the required domain. See above on how you can still download with that default server certificate for any domain hosted by the same server.

If you wanna know where the word a̅tea stems from: It is the Tahitian word for distant, far away. “Ti'i” means to get or here to download. Future versions are planned to also support “tu'u” i.e. uploading to an ftps server. Things not yet implemented in version 0.3 amount to download progress viewing and automatic download restarts. However manually continuing an interrupted download with -c is already functional.

atea-v0.8.4.tar - completed fix of v0.8! 0.8.3: micro-fix: --no-check-cert works now again without --no-check-time
atea-v0.8.2.tar - small bugfix for displaying non-RSA certs
atea-v0.8.tar - checking cert date, printing certs, important security fix, 32bit: download of files >4GB
atea-v0.7.tar - fixed a linker error, improved IPv6 parsing & handling
atea-v0.6.tar - added SNI (Server Name Indication)
atea-v0.5.tar - download continuation, progress viewing, automatic restart on stalls and errors
atea-v0.3.tar - first official pre-release

Authors Email
Elmar Stelln­berger

How to use a̅tea for checking a Jabber/XMPP or a filezilla certificate hash:

atea noop --faaite-cert https://xmpp.dotplex.com:5223 server certificate: subject: commonName = xmpp.dotplex.com issuer: countryName = GB stateOrProvinceName = Greater Manchester localityName = Salford organizationName = Sectigo Limited commonName = Sectigo ECC Domain Validation Secure Server CA not before: Sep 29 00:00:00 2020 GMT not after: Oct 28 23:59:59 2021 GMT serial: 56:92:77:19:5E:75:73:F5:70:42:FE:EF:B9:3E:6B:0A, 115074098595529330152670233537556671242 X509v3 Subject Alternative Name: DNS:xmpp.dotplex.com, DNS:xmpp.dotplex.de Authority Information Access: CA Issuers - URI:http://crt.sectigo.com/SectigoECCDomainValidationSecureServerCA.crt OCSP - URI:http://ocsp.sectigo.com key type: id-ecPublicKey key size: ~728bit sha1(full-cert) = E8:66:7E:6A:C8:F8:78:01:65:12:69:B9:33:BB:E7:AC:52:62:66:08 sha256(full-cert) = AD:71:B6:AD:3E:91:6D:27:D8:DC:26:1D:76:2F:B5:03:83:C8:2C:96:74:B9:4E:F2:08:B1:27:F4:79:C3:75:F7 sha512(full-cert) = 68:49:65:72:15:15:2F:85:71:F0:40:58:84:51:C5:78:B5:FB:E5:7C:60:51:2C:66:44:64:27:40:2C:D7:59:7F:B9:85:68:0D:D7:23:7C:BB:FF:4E:6F:09:11:48:40:90:47:2B:F2:7B:1B:FF:C2:5F:26:3E:98:B5:4B:AF:48:B9 sha256(pubkey) = B8:CE:A6:CA:7A:49:65:CA:C9:A8:75:BF:BC:45:B2:62:A5:BD:62:A4:34:8D:2C:41:85:AF:E3:D9:0B:84:59:12 sha512(pubkey) = C2:9F:B4:59:31:BC:A5:51:F3:B7:81:EC:9C:AA:CF:ED:B2:44:84:D3:20:0C:F3:86:8C:F0:F4:58:C6:FE:42:C6:33:95:C6:14:C2:65:B0:AA:F2:5C:57:BE:BD:69:F4:E5:4A:3B:12:0A:BD:B0:AC:A2:79:CA:91:8D:6D:B7:86:CC