Date: Sun, 22 Mar 2015 20:50:40 +0300 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: CVE for Kali Linux On Sun, Mar 22, 2015 at 08:23:00PM +0300, Solar Designer wrote: > On Sun, Mar 22, 2015 at 12:54:57PM -0400, David A. Wheeler wrote: > > On 2015-02-26 I reported to Cygwin that they had a similar man-in-the-middle issue. > > The Cygwin package manager (which downloaded all other packages) was unprotected > > and downloaded using http (as http://cygwin.com/setup-x86.exe or http://cygwin.com/setup-x86_64.exe). > > They changed it to load with HTTPS, and later added HTTP Strict Transport Security (HSTS). > > IMO, http vs. https is a red herring. We shouldn't be focusing on > security of software downloads, but rather on authenticity of the > software. If the distribution web server gets compromised, https > doesn't help. Thus, GPG signatures and the like. I think I need to add that Cygwin's setup-*.exe was special, and that it actually needed the switch to https. (In addition to having proper signatures for it.) Thank you, David! Other software downloads also benefit from https slightly - not only in the way I mentioned (partially hiding from some observers which exact software is being downloaded), but also through providing some limited security from MITM attacks for people's manual downloads even when those people wouldn't bother to verify signatures. This is not limited to just Cygwin, although with Cygwin's setup-*.exe I think it mattered more than for most other software. However, I think this is an operations best practices issue and not a software issue, whereas lack of proper signatures in a software update mechanism is much closer to being an issue with the software itself. Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.