Are users of Ubuntu certified computers safe from OEM SSL/TLS tampering?
Please let me raise this question here hoping the we will also receive an official answer, even though this a mostly community driven site.
Since Dell now is the second manufacturer after Lenovo (Superfish) just this year to compromise Web security in OEM-Windows installations and both also offer Ubuntu Edition branded computers with OEM installs I think that users trusting the Ubuntu brand deserve an answer that is far better than:
Canonical can not provide those OEM images to the public.
Source: Launchpad, see also.
Which is contradictory to the benefits of free software operating systems: Knowing the verifiable and reproducible state of a system and who put the parts of it together.
Answers I'd like to see:
- Is there evidence that the images that Canonical provides to OEMs don't contain modifications to the Ubuntu root certificate store? (Build system, scripts or package list used, hashes and so forth.)
- Are there already established processes that impose and ensure that OEMs offering Ubuntu certified computers never tamper with the contents of the root certificate store? (Also not to pre-install customized browsers or offering packages from their repositories as a bypass or implementing tricky firmware features that tamper with the certificate store.)
Supplemental answers welcome:
- One answer to compare the local root certificate store with corresponding packages from the repositories. (Probably better as a separate Q&A if it doesn't exist already.)
- Optionally answers from users with Ubuntu certified computers – look at the link above – that checked their systems this way. (Please wait a few days until we find appropriate criteria or if this is a good idea at all. We probably organize it as a wiki-style answer for everyone to edit once criteria are set – no big-list answer-style please. Criteria that currently come to my mind: manufacturer, model, release shipped, release currently running.)
To be clear, the problem in both events was that official certificate authority infrastructure was bypassed with very poor security standards in mind which quickly led to abuse of these certificates by other parties.
Related posts on Information Security SE:
- What security risks are posed by software vendors deploying SSL Intercepting proxies on user desktops (e.g. Superfish)
- Why was the private key of the Superfish certificate so easily extractable?
- How to detect if I am vulnerable to “Superfish,” and how to remove it?
Ubuntu's open source nature does not make it immune from the same kind of issue, where an OEM may have added malware (accidentally or deliberately), whether that be additional CA certificates or otherwise, on the images it distributes pre-installed on computers.
If you install Ubuntu yourself there are a number of measures against malicious modification by third parties: If you obtain an image of Ubuntu from an official Ubuntu source you can verify its checksum, and if you keep Ubuntu updated using APT with the official repositories you benefit from its built-in digital signing, assuring you that the images have not been tampered with by third-parties.
However, as you may suspect if Ubuntu is pre-installed by an OEM they have almost certainly made modifications to it aside from just installing the official images, for quite legitimate reasons. If bought from a trusted source it would be very unlikely that the installation would include malware, possibly even more unlikely than the typical Windows installation, but there is nothing that would make it impossible, and you only need to look at the examples from Lenovo and Dell to see how that might happen.
As for whether you need to worry, you can judge for yourself. Wiping and reinstalling from an official Ubuntu installer might quell some fears, though you will lose any OEM-specific customisation or extra functionality.
I can't answer your question about whether Ubuntu/Canonical try to police any changes to root certificate stores on OEM's derived installations, but I can't see how that would be feasible to do comprehensively enough.