Firewall Wizards mailing list archives
Re: Opinions on the security of antivirus software
From: bill earley <bearley () houston rr com>
Date: Sat, 6 Jul 2002 09:52:46 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Comments Inline - ------Question--------- On Saturday 06 July 2002 01:45 am, you wrote:
Of course there was a recent thread on pgp signatures and e-mail in which it was mentioned that few folks actually check the signature keys within
- -------answer-------------- This, just like every security issue, depends on how seriously the responsible parties take security. I can safely say that every signed email is checked at least to the point of knowing if it is a good or bad known sig or an unknown or untrusted sig. Then depending on how important it is that the unknown / untrusted sig be known and trusted then the key gets verified. An example would be this mailing list; I get several signed messaghes that show up as unknown / untrusted, but, since it is not critical info then there is no need to verify the sigs. Business communications are all verified and if one shows up unknown or untrusted then flags go up all over the place. Sensitive or critical info is also encrypted not just signed. - -------Question--------------
those signed messages they get. The quetion I pose here then is, how many actually check the pgp signatures, or even md5 checksums on all the code they scarf up off the net? Of course, if I recall correctly also, when
- ------answer-------------- I can only offer the one vote for here, but, that is the royal "one" meaning everybody here. - ------Question--------------
monkey.org was compromised recently and trojaned ode placed there, were not the md5 checksums also altered to make the trojaned code appear valid?
- ------answer-------------- True, but, md5 checksums are a simple hash of file size and bit order meant to verify a "clean" transmission and not really meant to verify authenticity of the file, only that the file received is a binary duplicate of the original. Theoretically it could be used to verify the file if the files author provided a copy of the md5sum to you, when the file was authored, that you held seperate and used to verify against the target file. That would require knowing who would be accessing the file and providing them with the md5sum at the time the file was created. Much simpler to sign it with pgp or gpg. - ------Question--------------
If a site is compromised using pgp signatures, how much of an issue would it be to alter then also?
- ------answer---------------- Several orders of magnitude harder, because they would have to either get the authors "keys" to sign the file with (probably located on another box) or compromise my copies of the authors keys (definitely on another box.). As well as compromising the keyservers that I would use to verify the keys if anything showed as suspicious. - -----free response------- Long response I know, but, I hope it gives some insight. As always it depends on the individual's attention to detail and how seriously security is taken. MUA's can be set to take advantage of encryption and sig.s and several companies now "sign" their software packages. It does involve a little more effort, but, in my opinion it's well worth it. - ----- snipped --- old ---- text ------- Bill Earley -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9JwRGej43sadgu/sRAkLPAKClxbM89rBPAaXwAF6CopWzyXR5RwCbB7Pb vcCh36Y305pJaHsXRt9kFWU= =QCct -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Opinions on the security of antivirus software Mikael Olsson (Jul 05)
- Re: Opinions on the security of antivirus software H. Morrow Long (Jul 05)
- Re: Opinions on the security of antivirus software bill earley (Jul 05)
- Re: Opinions on the security of antivirus software R. DuFresne (Jul 06)
- Re: Opinions on the security of antivirus software bill earley (Jul 06)
- Re: Opinions on the security of antivirus software R. DuFresne (Jul 06)