Re: CVE for Kali Linux

[Daniel Micay <danielmicay () gmail com>]

On 22/03/15 03:23 PM, Stephen Kitt wrote:
> On Sun, 22 Mar 2015 14:33:01 -0400, Daniel Micay <danielmicay () gmail com>
> wrote:
> [...]
> > At best, GPG offered *zero value* compared to checking a hash provided
> > via HTTPS, grabbing a torrent file via HTTPS or downloading directly via
> > HTTPS. However, I think it's pretty clear that few users would have gone
> > through with this and all it did was maintain the same security offered
> > by the HTTPS PKI.
> [...]
>
> I don't have any objection to the rest of your argumentation, which seems
> sensible to me; at the very least it's clear that all this needs to be made
> much easier, and (proper) HTTPS use should be encouraged.
>
> But I do believe that *at best*, GPG offers something that HTTPS doesn't:
> signature validation with peer-to-peer trust via the web of trust. This is
> "at best" because most users don't have a key in the strong set; but at least
> for Debian, the archive keys are in the strong set, so any one else with a
> key in the strong set has at least one trust path to the archive key.
>
> Of course that doesn't really help with the MITM scenario, since end users
> would need to know that the archive key is supposed to be signed, and by
> whom...

An attacker only needs control over a few keys in the strong set to add
any number of keys they want, which can then sign other keys. There's
value in the GPG WoT but it's non-trivial to extract it. You could
specifically find Debian devs and obtain their fingerprints securely
from various other places. I think the numbers of users who are going to
do this can probably be counted on a single hand. If there were actually
instructions on this in the installation guide, it could be argued that
a secure option is there.

Attachment: signature.asc
Description: OpenPGP digital signature