[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Just an idea



On Fri, 2 May 2003, Shane J Pearson wrote:

> Yes, but I don't see how providing a sums file on the ftp sites gives
> any security gains. Why would the sums file be any more authoritive than
> the files it references on the same server?

i didn't disagree with you that having the sums on the same server is
not a security measure at all. all i said was the project has already
decided this is an acceptable risk.

the biggest problem is that you can't have any method of getting the sums
in or with the files and forcibly using them without resorting to public
key crypto and a certificate hierarchy or some sort of authoritative key
that signs these detatched signatures. any md5 file can be replaced by an
attacker, and forcing people to contact 3 different systems just to verify
one package will not fly. that leaves us with some sort of detatched
signature.

but that's an idea that's already been rejected.

i wholeheartedly agree that some form of package signing would be nice.
however, even if you use the ports tree and use the md5s for the distfiles
(which is what caught most of the trojans in 2002), you can still be
compromised by bum patches inserted into a cvs mirror or the ports tree
archive by an attacker.

there is no easy solution to this.

___________________________
jose nazario, ph.d.			jose@monkey.org
					http://www.monkey.org/~jose/