oss-sec mailing list archives
Re: CVE for Kali Linux
From: Stephen Kitt <steve () sk2 org>
Date: Sun, 22 Mar 2015 20:23:32 +0100
On Sun, 22 Mar 2015 14:33:01 -0400, Daniel Micay <danielmicay () gmail com> wrote: [...]
At best, GPG offered *zero value* compared to checking a hash provided via HTTPS, grabbing a torrent file via HTTPS or downloading directly via HTTPS. However, I think it's pretty clear that few users would have gone through with this and all it did was maintain the same security offered by the HTTPS PKI.
[...] I don't have any objection to the rest of your argumentation, which seems sensible to me; at the very least it's clear that all this needs to be made much easier, and (proper) HTTPS use should be encouraged. But I do believe that *at best*, GPG offers something that HTTPS doesn't: signature validation with peer-to-peer trust via the web of trust. This is "at best" because most users don't have a key in the strong set; but at least for Debian, the archive keys are in the strong set, so any one else with a key in the strong set has at least one trust path to the archive key. Of course that doesn't really help with the MITM scenario, since end users would need to know that the archive key is supposed to be signed, and by whom... Regards, Stephen
Attachment:
_bin
Description: OpenPGP digital signature
Current thread:
- Re: CVE for Kali Linux, (continued)
- Re: CVE for Kali Linux David A. Wheeler (Mar 22)
- Re: CVE for Kali Linux Solar Designer (Mar 22)
- Re: CVE for Kali Linux Solar Designer (Mar 22)
- Re: CVE for Kali Linux Kurt Seifried (Mar 22)
- Re: CVE for Kali Linux Donald Stufft (Mar 22)
- Re: CVE for Kali Linux Daniel Micay (Mar 22)
- Re: CVE for Kali Linux Kristian Fiskerstrand (Mar 22)
- Re: CVE for Kali Linux Jeremy Stanley (Mar 22)
- Re: CVE for Kali Linux David A. Wheeler (Mar 22)
- Re: CVE for Kali Linux Daniel Micay (Mar 22)
- Re: CVE for Kali Linux Stephen Kitt (Mar 22)
- Re: CVE for Kali Linux Daniel Micay (Mar 22)
- Re: CVE for Kali Linux Alexander Cherepanov (Mar 22)
- Re: CVE for Kali Linux Alexander Cherepanov (Mar 22)
- Re: CVE for Kali Linux Russ Allbery (Mar 22)
- Re: CVE for Kali Linux Solar Designer (Mar 22)
- Re: CVE for Kali Linux Russ Allbery (Mar 22)
- Re: CVE for Kali Linux David A. Wheeler (Mar 22)
- Re: CVE for Kali Linux Alexander Cherepanov (Mar 23)
- Re: CVE for Kali Linux Alexander Cherepanov (Mar 23)
- Re: CVE for Kali Linux Marcus Meissner (Mar 23)