oss-sec mailing list archives

Re: CVE for Kali Linux

From: Alexander Cherepanov <ch3root () openwall com>
Date: Sun, 22 Mar 2015 23:34:28 +0300

On 2015-03-22 20:23, Solar Designer wrote:

https does offer a security aspect that signatures don't: it hides from
some observers which exact software is being downloaded (and maybe that
it's a software download at all).  It doesn't do that perfectly because
the target address and transfer timings and sizes may be revealing, but
I do acknowledge there's some subtle improvement over http here.  I just
think this is far less important than ensuring authenticity of the
software.  So let's demand signatures and signature verification first,
and let's not be distracted by http vs. https.

There are some attacks even if you verify signatures, e.g. serving old,known-vulnerable versions. HTTPS can help here (until signatures startto be widely accompanied by expiring timestamps or something).


--
Alexander Cherepanov

Current thread:

Re: CVE for Kali Linux, (continued)
- - - Re: CVE for Kali Linux Kurt Seifried (Mar 22)
    - Re: CVE for Kali Linux Donald Stufft (Mar 22)
    - Re: CVE for Kali Linux Daniel Micay (Mar 22)
    - Re: CVE for Kali Linux Kristian Fiskerstrand (Mar 22)
    - Re: CVE for Kali Linux Jeremy Stanley (Mar 22)
    - Re: CVE for Kali Linux David A. Wheeler (Mar 22)
    - Re: CVE for Kali Linux Daniel Micay (Mar 22)
    - Re: CVE for Kali Linux Stephen Kitt (Mar 22)
    - Re: CVE for Kali Linux Daniel Micay (Mar 22)
    - Re: CVE for Kali Linux Alexander Cherepanov (Mar 22)
    - Re: CVE for Kali Linux Alexander Cherepanov (Mar 22)
    - Re: CVE for Kali Linux Russ Allbery (Mar 22)
    - Re: CVE for Kali Linux Solar Designer (Mar 22)
    - Re: CVE for Kali Linux Russ Allbery (Mar 22)
    - Re: CVE for Kali Linux David A. Wheeler (Mar 22)
    - Re: CVE for Kali Linux Alexander Cherepanov (Mar 23)
    - Re: CVE for Kali Linux Alexander Cherepanov (Mar 23)
    - Re: CVE for Kali Linux Marcus Meissner (Mar 23)
    - Re: CVE for Kali Linux Alexander Cherepanov (Mar 23)
    - Re: CVE for Kali Linux Marcus Meissner (Mar 23)
    - Re: CVE for Kali Linux Marcus Meissner (Mar 24)

(Thread continues...)