Mailinglist Archive: opensuse-security (601 mails)

< Previous Next >
Re: [suse-security] autorpm and latest secure files
  • From: "Kurt Seifried" <listuser@xxxxxxxxxxxx>
  • Date: Sat, 12 Aug 2000 13:59:51 -0600
  • Message-id: <002301c00497$e0a11600$6900030a@xxxxxxxxxxxx>
> But at the risk of repeating the obvious, I will paraphrase Phil
> Zimmerman's pgp READMEs: it is only as safe as the computers hosting
> the signing and checking code. If an attacker trojaned your local
> GnuPG binary or tampered with your public keyring, he could get false
> signatures past you.

This is just as true for the md5sum or sha1 binary on your system! You don't
really "lose" anything. If the attacker can replace these binaries that
means he has root locally on your system. This also means he can replace
your kernel, insert modules, play around with memory, etc, etc. Once an
attacker gets root on a system (unless that system is severely secured) the
game is over and it is time to reinstall from trusted media. I am much more
worried about someone running a mirror site and that site getting
compromised (like ftp.win.tue.nl), the attacker trojans the files and
md5sums on the remote site, users download and everything appears ok. With
GnuPG that would not be possible, the attacker would have to break into the
SuSE machine used to sign packages. I assume this machine is NOT online,
i.e. they have removable media such as a jaz drive to move the data, meaning
any attack would have to be physical (which really reduces the number of
people capable of carrying it out).

> And the trusted suse private key (using suse as an example) may be shared
> among a number of employees, and it may even be used for automatic
> code signing (eugh!) It would just take one of them to allow their
> private keyring to be stolen - and until they notice and get an
> announcement to you - you are vulnerable to man-in-the-middle attacks.

"may be shared". And SuSE might install a default root password we can't
remove. What the heck is your point? Now you're making things up and talking
out your ass. Can we stick to facts instead of making them up?

> BTW IMHO the key doesn't need to be on the CD to be trusted. The SuSE
> key fingerprint is in chapter 18 of the manual. If you get a paper
> manual it is reasonably independent of the Internet.

GnuPG key disitribution is a *LOT* easier, you only have to do it once,
correctly. You can reinforce it by having the key on your website, attached
to emails, etc. Doing md5sum/sha1 distribution is an impossible task (you
need a seperate secure channel for it, etc, etc).

> dproc

-Kurt


< Previous Next >
Follow Ups