Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 22 Mar 2015 14:16:09 -0400 (EDT)
From: "David A. Wheeler" <>
To: "oss-security" <>
Subject: Re: CVE for Kali Linux

On Sun, 22 Mar 2015 20:23:00 +0300, Solar Designer <> wrote:
> IMO, http vs. https is a red herring.  We shouldn't be focusing on
> security of software downloads, but rather on authenticity of the
> software.  If the distribution web server gets compromised, https
> doesn't help.  Thus, GPG signatures and the like.

I agree with you in *principle*.  However, people almost never check signatures
if that process is a separate step. HTTPS is far more secure than
"HTTP plus signatures that are never checked" :-).
Their switch from HTTP to HTTPS for executable downloads is an improvement in *practice*.
(All other downloads are checked with signatures and cryptographic hashes; the
challenge, as always, is getting started with a trust root.)

We need to find ways to make checking essentially automatic in ways it's not today,
preferably ways that don't create more monopoly control points.
Yes, I'm aware that there many places where they *are* checked automatically;
I'm focusing on the areas where they are not.

--- David A. Wheeler

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.