oss-sec mailing list archives

Re: CVE for Kali Linux

From: Daniel Micay <danielmicay () gmail com>
Date: Sun, 22 Mar 2015 00:24:58 -0400

Windows users are also left out without this: they don't have GPG, and
they don't have a secure way to obtain GPG.


http://www.gpg4win.org/
http://sourceforge.net/projects/msys2/

Not even HTTPS *without* HSTS + HPKP. Gpg4win did get part of the way
there but didn't grab a free certificate from GlobalSign or StartSSL.

The official gnupg site uses ftp with... GPG signatures. I guess you're
supposed to validate that the GPG installer you've downloaded is valid
by running the GPG installer? :P

https://www.gnupg.org/download/

Is there actually a way for a Windows user to obtain it securely?

GPG simply doesn't work here, even if you assume that users are going to
take extra steps to verify the download. You have to rely on HTTPS (or
HKPS) to obtain the GPG key anyway, so I don't see the point in pushing
for it here. It's fantastic for package signing, sure :).

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

CVE for Kali Linux Kurt Seifried (Mar 21)
- Re: CVE for Kali Linux Justin Steven (Mar 21)
  - Re: CVE for Kali Linux Kurt Seifried (Mar 21)
    - Re: CVE for Kali Linux Daniel Micay (Mar 21)
    - Re: CVE for Kali Linux Russ Allbery (Mar 21)
    - Re: CVE for Kali Linux Daniel Micay (Mar 21)
    - Re: CVE for Kali Linux Daniel Micay (Mar 21)
    - Re: CVE for Kali Linux Florian Weimer (Mar 22)
    - Re: CVE for Kali Linux Daniel Micay (Mar 22)
    - Re: CVE for Kali Linux Amos Jeffries (Mar 22)
    - Re: CVE for Kali Linux Daniel Micay (Mar 22)
    - Re: CVE for Kali Linux Michael Samuel (Mar 21)
    - Re: CVE for Kali Linux Florian Weimer (Mar 22)
    - Re: CVE for Kali Linux Kurt Seifried (Mar 22)
    - Re: CVE for Kali Linux Jeremy Stanley (Mar 22)
    - Re: CVE for Kali Linux Kurt Seifried (Mar 22)
    - Re: CVE for Kali Linux David A. Wheeler (Mar 22)

(Thread continues...)