Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 22 Mar 2015 20:50:40 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE for Kali Linux

On Sun, Mar 22, 2015 at 08:23:00PM +0300, Solar Designer wrote:
> On Sun, Mar 22, 2015 at 12:54:57PM -0400, David A. Wheeler wrote:
> > On 2015-02-26 I reported to Cygwin that they had a similar man-in-the-middle issue.
> > The Cygwin package manager (which downloaded all other packages) was unprotected
> > and downloaded using http (as http://cygwin.com/setup-x86.exe or http://cygwin.com/setup-x86_64.exe).
> > They changed it to load with HTTPS, and later added HTTP Strict Transport Security (HSTS).
> 
> IMO, http vs. https is a red herring.  We shouldn't be focusing on
> security of software downloads, but rather on authenticity of the
> software.  If the distribution web server gets compromised, https
> doesn't help.  Thus, GPG signatures and the like.

I think I need to add that Cygwin's setup-*.exe was special, and that it
actually needed the switch to https.  (In addition to having proper
signatures for it.)  Thank you, David!

Other software downloads also benefit from https slightly - not only in
the way I mentioned (partially hiding from some observers which exact
software is being downloaded), but also through providing some limited
security from MITM attacks for people's manual downloads even when those
people wouldn't bother to verify signatures.  This is not limited to
just Cygwin, although with Cygwin's setup-*.exe I think it mattered more
than for most other software.

However, I think this is an operations best practices issue and not a
software issue, whereas lack of proper signatures in a software update
mechanism is much closer to being an issue with the software itself.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.