oss-sec mailing list archives
Re: CVE for Kali Linux
From: Marcus Meissner <meissner () suse de>
Date: Mon, 23 Mar 2015 11:38:54 +0100
On Sun, Mar 22, 2015 at 11:34:28PM +0300, Alexander Cherepanov wrote:
On 2015-03-22 20:23, Solar Designer wrote:https does offer a security aspect that signatures don't: it hides from some observers which exact software is being downloaded (and maybe that it's a software download at all). It doesn't do that perfectly because the target address and transfer timings and sizes may be revealing, but I do acknowledge there's some subtle improvement over http here. I just think this is far less important than ensuring authenticity of the software. So let's demand signatures and signature verification first, and let's not be distracted by http vs. https.There are some attacks even if you verify signatures, e.g. serving old, known-vulnerable versions. HTTPS can help here (until signatures start to be widely accompanied by expiring timestamps or something).
SUSE has added an expiry tag in the YUM metadata for such cases. Ciao, Marcus
Current thread:
- Re: CVE for Kali Linux, (continued)
- Re: CVE for Kali Linux Stephen Kitt (Mar 22)
- Re: CVE for Kali Linux Daniel Micay (Mar 22)
- Re: CVE for Kali Linux Alexander Cherepanov (Mar 22)
- Re: CVE for Kali Linux Alexander Cherepanov (Mar 22)
- Re: CVE for Kali Linux Russ Allbery (Mar 22)
- Re: CVE for Kali Linux Solar Designer (Mar 22)
- Re: CVE for Kali Linux Russ Allbery (Mar 22)
- Re: CVE for Kali Linux David A. Wheeler (Mar 22)
- Re: CVE for Kali Linux Alexander Cherepanov (Mar 23)
- Re: CVE for Kali Linux Alexander Cherepanov (Mar 23)
- Re: CVE for Kali Linux Marcus Meissner (Mar 23)
- Re: CVE for Kali Linux Alexander Cherepanov (Mar 23)
- Re: CVE for Kali Linux Marcus Meissner (Mar 23)
- Re: CVE for Kali Linux Marcus Meissner (Mar 24)
- Re: CVE for Kali Linux Alexander Cherepanov (Mar 24)
- Re: CVE for Kali Linux Kurt Seifried (Mar 22)
- Re: CVE for Kali Linux Solar Designer (Mar 22)