signed archives: an evaluation of internet trust

CanSecWest April, 2003

Jose Nazario

April, 2003

ABSTRACT: in 2002, a series of high profile compromises of internet software servers resulted in the alteration of software archives. this prompted an evaluation of the state of trust of the signed software distribution system. over 2800 archives representing over 1400 unique software packages were downloaded and their corresponding signatures evaluated for validity. these software packages were pulled from over 260 different sites and the keys retrieved only during the verification stage. of the over 2800 archives checked, only 5 errors were found, three of which were found to be false negatives. additionally, the characteristics of the keys used to sign these archives along with the key distribution systems were studied. these findings highlight weaknesses in the signed archive distribution system and demonstrate clear vulnerabilities facing several projects.

[Hi-res - HTML] [Low-res - PS] [Low-res - PDF] [Text, English, Spanish, French - HTML]

The presentation was generated using Magicpoint 1.09a, from A Makefile was used to generate the Postscript, PDF and HTML output. The Makefile is available, and it's rather generic for Magicpoint presetations. TTF fonts were downloaded from Microsoft's TTF download site at