oss-sec mailing list archives
Re: CVE for Kali Linux
From: Solar Designer <solar () openwall com>
Date: Sun, 22 Mar 2015 20:50:40 +0300
On Sun, Mar 22, 2015 at 08:23:00PM +0300, Solar Designer wrote:
On Sun, Mar 22, 2015 at 12:54:57PM -0400, David A. Wheeler wrote:On 2015-02-26 I reported to Cygwin that they had a similar man-in-the-middle issue. The Cygwin package manager (which downloaded all other packages) was unprotected and downloaded using http (as http://cygwin.com/setup-x86.exe or http://cygwin.com/setup-x86_64.exe). They changed it to load with HTTPS, and later added HTTP Strict Transport Security (HSTS).IMO, http vs. https is a red herring. We shouldn't be focusing on security of software downloads, but rather on authenticity of the software. If the distribution web server gets compromised, https doesn't help. Thus, GPG signatures and the like.
I think I need to add that Cygwin's setup-*.exe was special, and that it actually needed the switch to https. (In addition to having proper signatures for it.) Thank you, David! Other software downloads also benefit from https slightly - not only in the way I mentioned (partially hiding from some observers which exact software is being downloaded), but also through providing some limited security from MITM attacks for people's manual downloads even when those people wouldn't bother to verify signatures. This is not limited to just Cygwin, although with Cygwin's setup-*.exe I think it mattered more than for most other software. However, I think this is an operations best practices issue and not a software issue, whereas lack of proper signatures in a software update mechanism is much closer to being an issue with the software itself. Alexander
Current thread:
- Re: CVE for Kali Linux, (continued)
- Re: CVE for Kali Linux Daniel Micay (Mar 22)
- Re: CVE for Kali Linux Amos Jeffries (Mar 22)
- Re: CVE for Kali Linux Daniel Micay (Mar 22)
- Re: CVE for Kali Linux Michael Samuel (Mar 21)
- Re: CVE for Kali Linux Florian Weimer (Mar 22)
- Re: CVE for Kali Linux Kurt Seifried (Mar 22)
- Re: CVE for Kali Linux Jeremy Stanley (Mar 22)
- Re: CVE for Kali Linux Kurt Seifried (Mar 22)
- Re: CVE for Kali Linux David A. Wheeler (Mar 22)
- Re: CVE for Kali Linux Solar Designer (Mar 22)
- Re: CVE for Kali Linux Solar Designer (Mar 22)
- Re: CVE for Kali Linux Kurt Seifried (Mar 22)
- Re: CVE for Kali Linux Donald Stufft (Mar 22)
- Re: CVE for Kali Linux Daniel Micay (Mar 22)
- Re: CVE for Kali Linux Kristian Fiskerstrand (Mar 22)
- Re: CVE for Kali Linux Jeremy Stanley (Mar 22)
- Re: CVE for Kali Linux David A. Wheeler (Mar 22)
- Re: CVE for Kali Linux Daniel Micay (Mar 22)
- Re: CVE for Kali Linux Stephen Kitt (Mar 22)
- Re: CVE for Kali Linux Daniel Micay (Mar 22)
- Re: CVE for Kali Linux Alexander Cherepanov (Mar 22)