Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150322175040.GA21383@openwall.com>
Date: Sun, 22 Mar 2015 20:50:40 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE for Kali Linux

On Sun, Mar 22, 2015 at 08:23:00PM +0300, Solar Designer wrote:
> On Sun, Mar 22, 2015 at 12:54:57PM -0400, David A. Wheeler wrote:
> > On 2015-02-26 I reported to Cygwin that they had a similar man-in-the-middle issue.
> > The Cygwin package manager (which downloaded all other packages) was unprotected
> > and downloaded using http (as http://cygwin.com/setup-x86.exe or http://cygwin.com/setup-x86_64.exe).
> > They changed it to load with HTTPS, and later added HTTP Strict Transport Security (HSTS).
> 
> IMO, http vs. https is a red herring.  We shouldn't be focusing on
> security of software downloads, but rather on authenticity of the
> software.  If the distribution web server gets compromised, https
> doesn't help.  Thus, GPG signatures and the like.

I think I need to add that Cygwin's setup-*.exe was special, and that it
actually needed the switch to https.  (In addition to having proper
signatures for it.)  Thank you, David!

Other software downloads also benefit from https slightly - not only in
the way I mentioned (partially hiding from some observers which exact
software is being downloaded), but also through providing some limited
security from MITM attacks for people's manual downloads even when those
people wouldn't bother to verify signatures.  This is not limited to
just Cygwin, although with Cygwin's setup-*.exe I think it mattered more
than for most other software.

However, I think this is an operations best practices issue and not a
software issue, whereas lack of proper signatures in a software update
mechanism is much closer to being an issue with the software itself.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.