Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 3 Mar 2015 13:32:57 +0300
From: gremlin@...mlin.ru
To: oss-security@...ts.openwall.com
Subject: Re: validation on update

On 2015-03-02 19:24:30 +0000, Simon McVittie wrote:

 >>>> Does it use any sort of package signing and signature
 >>>> verification?
 >>> Seeing as the patch only does s/http/https/,
 >> Obviously, that doesn't really help.
 > It's a start, at least...

Of course, that's much better than nothing.

 > it tells you that this was a reply to your request, made by
 > someone controlling the corresponding private key for a "valid"
 > certificate for Maven Central's hostname.

That's good for the first communication.

 > An end-to-end integrity check from the original publisher to
 > the consumer would prevent more attacks, but would also be
 > harder to deploy (it requires action from each publisher,

Running `gpg --detach-sign < package.tar.gz > package.tar.gz.sig`
(or, better, `gpg -ba ...`) on each release isn't a big deal...

 > verification at each consumer,

Running `gpg --verify package.tar.gz.sig package.tar.gz` will do
that just perfectly. And, when talking about automatic updates,
that should be included into the update procedure.

 > and a way to determine whether publisher X is authorized to
 > publish package Y);

`gpg --no-default-keyring --keyring /path/authors.pub --verify ...`

 > protecting against trivial attacks is not as good as protecting
 > against sophisticated attacks, but seems considerably better
 > than not protecting against anything at all.

Yes. But I hope the software developers wouldn't stop after that
and will use the above-mentioned trivial commands as well.


-- 
Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru>
GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://keys.gnupg.net

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.