[clug] How you know your Free or Open Source Software Project is doomed to FAIL
Paul Harvey
csirac2 at gmail.com
Thu Jul 30 01:01:34 UTC 2015
On 30 July 2015 at 08:16, Alex Satrapa <grail at goldweb.com.au> wrote:
> On 30 Jul 2015, at 02:43, James Ring <sjr at jdns.org> wrote:
>>
>> If you trust the site and you get the bytes via SSL and the
>> certificate checks out, how is this different from downloading and
>> running some binary from, say, Debian archives?
>
> The stuff you fetch from Debian binary archives is signed, so you know it wasn’t corrupted en-route.
>
> If you download the script using CURL or Wget and actually look at it to make sure it seems legit (not many of us will be able to read through and tell that it is 100% legit), then it’s safe(r) to run. Even better, the site could ship the code as a tarball with a published MD5/SHA1 checksum (or whatever the cool kids are using these days).
>
> Blindly downloading, especially with instructions that suggest ignoring SSL certificate errors, will lead to MITM attacks. It’s like the 3 second gap when you’re driving: you don’t *expect* things to go wrong, but at least you’re better prepared for when they do.
Indeed, there's a highly cited paper (admittedly aging a bit by now)
from 2012 citing the many problems with SSL certificate validation in
non-browser software such as curl (presumably mostly fixed by now):
https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
Even without these problems, most distro package managers maintain a
very small, specific set of PGP public keys which is a far smaller,
and hopefully more robust and "simpler" (if that word can be used in
conjunction with PGP generally) infrastructure than the flimsy (and
arguably, utterly broken) sprawling CA infrastructure holding up the
rickety world of https. It's much easier to revoke a compromised PGP
key (for a distro), for example. PGP private (signing) keys can
potentially be easier to control/protect (admittedly, still not many
people are keeping their PGP keys on Yubi/GoldKeys/smartcards though).
There are fewer moving parts (the paper discusses weaknesses in DNS
etc).
That said, I hope OpenBSD's signify replaces PGP for this kind of
usage: http://www.tedunangst.com/flak/post/signify
More information about the linux
mailing list