Date: Sun, 22 Mar 2015 23:58:06 -0400 From: Daniel Micay <danielmicay@...il.com> To: oss-security@...ts.openwall.com Subject: Re: CVE for Kali Linux On 22/03/15 03:23 PM, Stephen Kitt wrote: > On Sun, 22 Mar 2015 14:33:01 -0400, Daniel Micay <danielmicay@...il.com> > wrote: > [...] >> At best, GPG offered *zero value* compared to checking a hash provided >> via HTTPS, grabbing a torrent file via HTTPS or downloading directly via >> HTTPS. However, I think it's pretty clear that few users would have gone >> through with this and all it did was maintain the same security offered >> by the HTTPS PKI. > [...] > > I don't have any objection to the rest of your argumentation, which seems > sensible to me; at the very least it's clear that all this needs to be made > much easier, and (proper) HTTPS use should be encouraged. > > But I do believe that *at best*, GPG offers something that HTTPS doesn't: > signature validation with peer-to-peer trust via the web of trust. This is > "at best" because most users don't have a key in the strong set; but at least > for Debian, the archive keys are in the strong set, so any one else with a > key in the strong set has at least one trust path to the archive key. > > Of course that doesn't really help with the MITM scenario, since end users > would need to know that the archive key is supposed to be signed, and by > whom... An attacker only needs control over a few keys in the strong set to add any number of keys they want, which can then sign other keys. There's value in the GPG WoT but it's non-trivial to extract it. You could specifically find Debian devs and obtain their fingerprints securely from various other places. I think the numbers of users who are going to do this can probably be counted on a single hand. If there were actually instructions on this in the installation guide, it could be argued that a secure option is there. [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ