oss-sec mailing list archives
Re: CVE for Kali Linux
From: Alexander Cherepanov <ch3root () openwall com>
Date: Sun, 22 Mar 2015 23:34:28 +0300
On 2015-03-22 20:23, Solar Designer wrote:
https does offer a security aspect that signatures don't: it hides from some observers which exact software is being downloaded (and maybe that it's a software download at all). It doesn't do that perfectly because the target address and transfer timings and sizes may be revealing, but I do acknowledge there's some subtle improvement over http here. I just think this is far less important than ensuring authenticity of the software. So let's demand signatures and signature verification first, and let's not be distracted by http vs. https.
There are some attacks even if you verify signatures, e.g. serving old, known-vulnerable versions. HTTPS can help here (until signatures start to be widely accompanied by expiring timestamps or something).
-- Alexander Cherepanov
Current thread:
- Re: CVE for Kali Linux, (continued)
- Re: CVE for Kali Linux Kurt Seifried (Mar 22)
- Re: CVE for Kali Linux Donald Stufft (Mar 22)
- Re: CVE for Kali Linux Daniel Micay (Mar 22)
- Re: CVE for Kali Linux Kristian Fiskerstrand (Mar 22)
- Re: CVE for Kali Linux Jeremy Stanley (Mar 22)
- Re: CVE for Kali Linux David A. Wheeler (Mar 22)
- Re: CVE for Kali Linux Daniel Micay (Mar 22)
- Re: CVE for Kali Linux Stephen Kitt (Mar 22)
- Re: CVE for Kali Linux Daniel Micay (Mar 22)
- Re: CVE for Kali Linux Alexander Cherepanov (Mar 22)
- Re: CVE for Kali Linux Alexander Cherepanov (Mar 22)
- Re: CVE for Kali Linux Russ Allbery (Mar 22)
- Re: CVE for Kali Linux Solar Designer (Mar 22)
- Re: CVE for Kali Linux Russ Allbery (Mar 22)
- Re: CVE for Kali Linux David A. Wheeler (Mar 22)
- Re: CVE for Kali Linux Alexander Cherepanov (Mar 23)
- Re: CVE for Kali Linux Alexander Cherepanov (Mar 23)
- Re: CVE for Kali Linux Marcus Meissner (Mar 23)
- Re: CVE for Kali Linux Alexander Cherepanov (Mar 23)
- Re: CVE for Kali Linux Marcus Meissner (Mar 23)
- Re: CVE for Kali Linux Marcus Meissner (Mar 24)