oss-sec mailing list archives
Re: CVE for Kali Linux
From: Daniel Micay <danielmicay () gmail com>
Date: Sun, 22 Mar 2015 23:58:06 -0400
On 22/03/15 03:23 PM, Stephen Kitt wrote:
On Sun, 22 Mar 2015 14:33:01 -0400, Daniel Micay <danielmicay () gmail com> wrote: [...]At best, GPG offered *zero value* compared to checking a hash provided via HTTPS, grabbing a torrent file via HTTPS or downloading directly via HTTPS. However, I think it's pretty clear that few users would have gone through with this and all it did was maintain the same security offered by the HTTPS PKI.[...] I don't have any objection to the rest of your argumentation, which seems sensible to me; at the very least it's clear that all this needs to be made much easier, and (proper) HTTPS use should be encouraged. But I do believe that *at best*, GPG offers something that HTTPS doesn't: signature validation with peer-to-peer trust via the web of trust. This is "at best" because most users don't have a key in the strong set; but at least for Debian, the archive keys are in the strong set, so any one else with a key in the strong set has at least one trust path to the archive key. Of course that doesn't really help with the MITM scenario, since end users would need to know that the archive key is supposed to be signed, and by whom...
An attacker only needs control over a few keys in the strong set to add any number of keys they want, which can then sign other keys. There's value in the GPG WoT but it's non-trivial to extract it. You could specifically find Debian devs and obtain their fingerprints securely from various other places. I think the numbers of users who are going to do this can probably be counted on a single hand. If there were actually instructions on this in the installation guide, it could be argued that a secure option is there.
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Re: CVE for Kali Linux, (continued)
- Re: CVE for Kali Linux Solar Designer (Mar 22)
- Re: CVE for Kali Linux Solar Designer (Mar 22)
- Re: CVE for Kali Linux Kurt Seifried (Mar 22)
- Re: CVE for Kali Linux Donald Stufft (Mar 22)
- Re: CVE for Kali Linux Daniel Micay (Mar 22)
- Re: CVE for Kali Linux Kristian Fiskerstrand (Mar 22)
- Re: CVE for Kali Linux Jeremy Stanley (Mar 22)
- Re: CVE for Kali Linux David A. Wheeler (Mar 22)
- Re: CVE for Kali Linux Daniel Micay (Mar 22)
- Re: CVE for Kali Linux Stephen Kitt (Mar 22)
- Re: CVE for Kali Linux Daniel Micay (Mar 22)
- Re: CVE for Kali Linux Alexander Cherepanov (Mar 22)
- Re: CVE for Kali Linux Alexander Cherepanov (Mar 22)
- Re: CVE for Kali Linux Russ Allbery (Mar 22)
- Re: CVE for Kali Linux Solar Designer (Mar 22)
- Re: CVE for Kali Linux Russ Allbery (Mar 22)
- Re: CVE for Kali Linux David A. Wheeler (Mar 22)
- Re: CVE for Kali Linux Alexander Cherepanov (Mar 23)
- Re: CVE for Kali Linux Alexander Cherepanov (Mar 23)
- Re: CVE for Kali Linux Marcus Meissner (Mar 23)
- Re: CVE for Kali Linux Alexander Cherepanov (Mar 23)