[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [GNU-linux-libre] Help users to verify their downloads
From: |
Jean Louis |
Subject: |
Re: [GNU-linux-libre] Help users to verify their downloads |
Date: |
Mon, 25 Jun 2018 13:38:50 +0200 |
User-agent: |
Mutt/1.10.0 (2018-05-17) |
On Mon, Jun 25, 2018 at 07:15:21AM -0400, bill-auger wrote:
> On Mon, 2018-06-25 at 11:33 +0200, Jean Louis wrote:
> > If users don't know how to verify PGP fingerprints
> > with the issues of the PGP key, and it is anyway
> > unlikely that any serious percentage would be
> > doing so, then we are wasting time by creating
> > apparent security.
>
> it is why package managers such as apt and
> pacman run the verifications implicitly so that
> the user does not need to know how it is done
It ends up in believing and not assurance.
If user did not verify fingerprints, by some other
communication line, in reality nothing have been
really secured, we have got belief only, and not
assurance.
Servers can be compromised and they do get
ocassionally compromised.
Example is where full distribution have been compromised:
https://www.techrepublic.com/article/why-the-linux-mint-hack-is-an-indicator-of-a-larger-problem/
pacman or other package manager verifies that the
package have been signed by the referenced PGP
key.
For user, especially if user does not know
nothing, it really means nothing. Because there is
no true security there.
If you don't know which door in your house is
closed or open that does not mean your doors are
closed and you are safe, just because you don't
know it.
Server can be compromised and package databases
can be compromised.
PGP keys can be published without any connection
between the actual key controller and the email
address or PGP identity.
There are few fake PGP identities of RMS in PGP
servers for example.
It gives some feeling or assurance, it does not
give security.
It all ends up with the trust based on belief into
the domain and servers, and that the domain and
its servers where packages aor package databases
located are trusted.
But there is no assurance whatsoever to know if
the that domain was cracked, as we all do not have
any access to domain.
So believe into maintainers who maintain their
domains and servers that nothing was compromised.
Which means there is no security at all.
We base the downloads of free software on trust,
not on security.
All these facts shall be made known by each
distribution:
- that hashes help only to verify that expected
file arrived from server to local computer, and
says nothing about the genuity of the package or
that it is not compromised, and that it is valid
only when the original file would be signed by
PGP key and such PGP key fingerprints verified
between the user and the real key owner
- that PGP signatures cannot be assurance of any
security unless fingerprints have been verified
by independent communication line with the key
owner
For more info:
https://gnupg.org/faq/gnupg-faq.html#how_do_i_verify_signed_packages
Quoting:
> Get a copy of the author’s public certificate and
> import it to your keyring. It’s important to get
> the author’s certificate through a trusted
> source. On the internet, anyone can be pretend to
> be anyone. Particularly, be careful if the
> certificate you have doesn’t match the one used
> for prior code releases.
Now when knowing this, what users do often is
following (not all users):
- in the first place does not know and does not
have easy access to the information WHO is the
maintainer of the package or controller of the
PGP key, information exists, but is not easy
accessible
- does not get copy of author's public
certificate, but rather relies on domain and
server or distribution itself, probably does not
even know the URL from where packages are
downloaded, and certainly does not import the
certificate into his own keyring, but let it to
pacman or package manager to handle it,
- does not use the trusted source, but simply
trusts everything, user is naive, and we shall
make it clear to them that no absolute security
exists that package was not compromised
- does not understand that something like
address@hidden can be faked by just
anybody and that everybody can make PGP key for
any email address in the world
- does not verify if the certificate is recent or
changed in comparison to prior code releases
- and does not know how to use GnuPG
And when package databases and such software is
held on mirrors, then even the worse opportunity
to get compromised software.
Conclusion is that all the efforts that package
maintainers are doing can be futile by one single
server compromise and changes to the package
databases.
Jean
- Re: [GNU-linux-libre] Help users to verify their downloads, (continued)
Re: [GNU-linux-libre] Help users to verify their downloads, Ludovic Courtès, 2018/06/20
- Re: [GNU-linux-libre] Help users to verify their downloads, Donald Robertson, 2018/06/20
- Re: [GNU-linux-libre] Help users to verify their downloads, Denis 'GNUtoo' Carikli, 2018/06/24
- Re: [GNU-linux-libre] Help users to verify their downloads, Dmitry Samoyloff, 2018/06/25
- Re: [GNU-linux-libre] Help users to verify their downloads, bill-auger, 2018/06/25
- Re: [GNU-linux-libre] Help users to verify their downloads, Jean Louis, 2018/06/25
- Re: [GNU-linux-libre] Help users to verify their downloads, bill-auger, 2018/06/25
- Re: [GNU-linux-libre] Help users to verify their downloads,
Jean Louis <=
- Re: [GNU-linux-libre] Help users to verify their downloads, Patrick McDermott, 2018/06/25
- Re: [GNU-linux-libre] Help users to verify their downloads, Jean Louis, 2018/06/26
Re: [GNU-linux-libre] Help users to verify their downloads, Patrick McDermott, 2018/06/25