Cryptographically signed releases

Alex Efros powerman at powerman.name
Sun Jan 5 08:37:20 CET 2014


Hi!

On Sun, Jan 05, 2014 at 04:17:46AM +0100, Marc Lehmann wrote:
> > Well, data in a https connection cannot be trivially exchanged with 
> > something else without having the key.
> > In my opinion that would be the whole point, to prevent trivial attacks.
> Trivial attacks such as man-in-the-middle attacks on specific targets?

Yep. Sadly, but nowadays it became one of standard components for worms -
when one computer in local network is infected and tries to gather info
about it neighbour systems and infect them it uses MITM.

> > > I think for abyody who didn't live under a rock for the last two years
> > > (security-wise), it should be obvious that this isn't true - you don't
> > > have to be a government agency to get fake certificates at all.
> > That's correct, but not the point.

Okay, I'm trying to keep an eye on this, but maybe I've missed something.
I've read about few incidents with CA and some special attacks on SSL in
last years, but I don't remember any one which makes possible for ordinary
hacker to make fake certificates for any website which will be accepted by
even one of major browsers (if it's not outdated too much).
So, it would be nice if you'll give me a link to explain what you're
talking about.

> > I am pretty sure what he meant is a package maintainer of a linux 
> > distribution.
> That makes sense, thanks. I am not sure why that would make a difference
> though - I publish my software for everybody, not specifically distro
> maintainers.

This makes a difference for end-users - when distro maintainers make
package for some software it's their responsibility to make sure they've
downloaded unmodified version of that software. Packages usually include
checksums, so end-users already protected against modifications.
So, I've tried to say it's not my headache is you'll provide checksums or
not because I'm using your software in packages which already have such
checksums, but it may helps package maintainers.

> It often makes sites very hard to access, especially on browsers like
> firefox, who are less interested in security and more into making money
> for CAs.
…
> Which is what https relies on to avoid the "trivial" modification attacks.

I don't think first is really "often" and second is really so non-trivial
as you're saying. And it doesn't looks like any one of us can really prove
his point of view. But I think this should be obvious:
- it's not really a problem to make your site accessible using https, even
  for firefox - all other https sites somehow overcome this problem :)
- while https won't provide 100% protection against all evil of the world
  it will make things more secure, which should be considered good thing

-- 
			WBR, Alex.




More information about the rxvt-unicode mailing list