Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 22 Mar 2015 23:58:06 -0400
From: Daniel Micay <danielmicay@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE for Kali Linux

On 22/03/15 03:23 PM, Stephen Kitt wrote:
> On Sun, 22 Mar 2015 14:33:01 -0400, Daniel Micay <danielmicay@...il.com>
> wrote:
> [...]
>> At best, GPG offered *zero value* compared to checking a hash provided
>> via HTTPS, grabbing a torrent file via HTTPS or downloading directly via
>> HTTPS. However, I think it's pretty clear that few users would have gone
>> through with this and all it did was maintain the same security offered
>> by the HTTPS PKI.
> [...]
> 
> I don't have any objection to the rest of your argumentation, which seems
> sensible to me; at the very least it's clear that all this needs to be made
> much easier, and (proper) HTTPS use should be encouraged.
> 
> But I do believe that *at best*, GPG offers something that HTTPS doesn't:
> signature validation with peer-to-peer trust via the web of trust. This is
> "at best" because most users don't have a key in the strong set; but at least
> for Debian, the archive keys are in the strong set, so any one else with a
> key in the strong set has at least one trust path to the archive key.
> 
> Of course that doesn't really help with the MITM scenario, since end users
> would need to know that the archive key is supposed to be signed, and by
> whom...

An attacker only needs control over a few keys in the strong set to add
any number of keys they want, which can then sign other keys. There's
value in the GPG WoT but it's non-trivial to extract it. You could
specifically find Debian devs and obtain their fingerprints securely
from various other places. I think the numbers of users who are going to
do this can probably be counted on a single hand. If there were actually
instructions on this in the installation guide, it could be argued that
a secure option is there.


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ