Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 3 Mar 2015 13:32:57 +0300
From: gremlin@...mlin.ru
To: oss-security@...ts.openwall.com
Subject: Re: validation on update

On 2015-03-02 19:24:30 +0000, Simon McVittie wrote:

 >>>> Does it use any sort of package signing and signature
 >>>> verification?
 >>> Seeing as the patch only does s/http/https/,
 >> Obviously, that doesn't really help.
 > It's a start, at least...

Of course, that's much better than nothing.

 > it tells you that this was a reply to your request, made by
 > someone controlling the corresponding private key for a "valid"
 > certificate for Maven Central's hostname.

That's good for the first communication.

 > An end-to-end integrity check from the original publisher to
 > the consumer would prevent more attacks, but would also be
 > harder to deploy (it requires action from each publisher,

Running `gpg --detach-sign < package.tar.gz > package.tar.gz.sig`
(or, better, `gpg -ba ...`) on each release isn't a big deal...

 > verification at each consumer,

Running `gpg --verify package.tar.gz.sig package.tar.gz` will do
that just perfectly. And, when talking about automatic updates,
that should be included into the update procedure.

 > and a way to determine whether publisher X is authorized to
 > publish package Y);

`gpg --no-default-keyring --keyring /path/authors.pub --verify ...`

 > protecting against trivial attacks is not as good as protecting
 > against sophisticated attacks, but seems considerably better
 > than not protecting against anything at all.

Yes. But I hope the software developers wouldn't stop after that
and will use the above-mentioned trivial commands as well.


-- 
Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru>
GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://keys.gnupg.net

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ