Date: Mon, 13 Jan 2003 08:59:39 -0800 From: David Schultz <dschultz@uclink.Berkeley.EDU> To: "Nathan J. Yoder" <njyoder@gummibears.nu> Cc: freebsd-security@FreeBSD.ORG Subject: Re: digital signatures for downloads Message-ID: <20030113165939.GA7457@HAL9000.homeunix.com> In-Reply-To: <6121584208.20030113005107@gummibears.nu> References: <6121584208.20030113005107@gummibears.nu>
next in thread | previous in thread | raw e-mail | index | archive | help
Thus spake Nathan J. Yoder <njyoder@gummibears.nu>: > I'd like to suggest that the downloads for FreeBSD systems > (whether directly through *.FreeBSD.org or not) should be digitally > signed. By digital signature I don't simply mean a bare MD5 hash, as > that could have been changed in transit. Most importantly, this would > include cvs files transferred via cvsup (FreeBSD source and ports), > pre-compiled binary packages and security patches. That's a good idea, but it's rather hard to implement. Signing every CVS revision would not only be computationally expensive, but it would make it impossible to do the signing ``offline'' in a secure environment. That has negative implications for the security of the security officer's private key. Signing a CVS snapshot for every release, on the other hand, is more reasonable. It wouldn't be seamlessly integrated into CVS, and it would be inefficient on the client end, but it could at least be automated (e.g. integrated into 'make update'.) > While the FreeBSD security advisories are signed, they > don't include secure hashes of the patches, rather they just provide > an insecure FTP link. This leaves it wide open for a MITM attack (in > the case of FTP this is relatively easy if you can sniff traffic and > the person uses active mode). No, a MITM attack isn't possible if you verify the signatures. If someone hijacks your FTP connection while you download the patch and detached PGP signature and sends you a trojan horse instead, you will find that the signature on the modified patch was not made by the FreeBSD security officer. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030113165939.GA7457>