RE: Reflections on Trusting Trust

From: aristeu (suporte_at_wahtec.com.br)
Date: 11/29/05

  • Next message: Colin Percival: "Re: Reflections on Trusting Trust"
    To: <freebsd-security@freebsd.org>
    Date: Tue, 29 Nov 2005 18:49:11 -0200
    
    

    > Can you explain what you mean here. Virtually all distfiles needed to
    > build a port have MD5 and maybe SHA-256 hashes embedded in the ports
    > tree. The only way to easily circumvent these is to subvert the ports
    > tree - which gets back to the issue of trusting the FreeBSD distribution.
    > I agree that there's currently no integrity checking on packages.
    > (And, BTW, tar has no integrity checks).

    Anyone who is between you and freebsd cvsup server can make his own ports
    tree repository. That being done, he just need to redirect your connection
    and wait 'til your next cvsup sync is done.

    About the tar.bz2 archives or what ever you use with tar, yes, if a file is
    corrupted it doesn't finish decompressing... nice check, huh... :P well, was
    a joke, sort of.

    > I don't believe this solves anything. The biggest problem is ensuring
    > that you can trust your initial keyring or root certificate
    > collection. Putting "trusted" keys on an ISO only gives you circular
    > trust - you trust that the ISO image came from the people who made it.

    There must be a beggining. Or else people will need to go to the
    headquarters to get the CD or to the CA to get their certificate. Root
    certficates don't expire?

    > There's no easy way to verify that it came from the FreeBSD Project.
    > The FreeBSD project also discourages the inclusion of GPL code in the
    > base system, making gnupg unattractive as a base system candidate.
    > Finally, PGP does not have the concept of "important" keys - this is
    > closer to the X.509 model. The base system already includes tools for
    > handling X.509 signatures (openssl) and there is already a collection
    >of X.509 keys embedded in the ports system (security/ca-roots).

    It's the easiest way I could think of, without inserting another trust point
    (CA's infraestructure and the people who work on them). I'm not against
    X.509 signatures, I like them as I like pub key. BUT you need to know that,
    yet, installing a ca-root certificates port, downloading a public key or
    resynching your ports tree implies on network transmission of certificates,
    keys, or hashes. MITM can be done in all that. The part I dont like is that
    a hash is just a hash. No one owns it.

    About the GNU part an user from this list, sent me an email telling me there
    is an BSD license solution comming soon. Thanks markzero for the note.

    http://netbsd-soc.sourceforge.net/projects/bpg/

    Well, anyway, for me, public keys or certificates must be pre-installed on
    the ISO release and hashes serves only for integrity check, nothing more.

    []'s
    aristeu

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: Colin Percival: "Re: Reflections on Trusting Trust"

    Relevant Pages

    • Re: HEADS UP: Merge of binutils 2.17
      ... of finding a point in time along the -CURRENT path where the tree is ... update ports tree && ... Having some packages, even a week or so out of date is much better than what we have now. ... Nothin' ever doesn't change, but nothin' changes much. ...
      (freebsd-current)
    • Re: [OT] CVSUP (was "Re: Was: Re: Why This Infinite Loop??")
      ... if he is not familiar with the FBSD ports system. ... supposedly an advantage of portsnap. ... The protocol uses no encryption or signing, and any attacker who can intercept the connection can insert arbitrary data into the tree you are updating. ... this means that anyone who can compromise a CVSup mirror can feed arbitrary data to the people who are using that mirror. ...
      (freebsd-questions)
    • Re: Totally lost
      ... There is a target there for "updating" the tree via ... that it's not in the ports. ... what's the difference in using cvsup or portupdate to update the ... (I can only assume that if there's such a thing as 'portupdate', ...
      (freebsd-questions)
    • Re: RE: Portage tree
      ... > have it installed in your system you can install it from ... You can actually update the ports tree in 3 ways I've found and I used them ... A new tree is built after the FTP is completed. ...
      (freebsd-newbies)
    • Re: Looking for a good introduction to object oriented programming with Python
      ... Normally when I have a bath I think of the best way to stop the mice from feasting on my herb patch without killing them. ... I am not a genealogy expert, the nearest I've been to a family tree is the ones my old mum thrusts under my nose at Christmas, Sunday lunch, birthdays,funerals etc etc. ... But what of all the ephemeral data that goes with a sentient existance on this planet such as birth certificates, newspaper articles, christenings, death certificates, photographs etc etc, what about pegigree certificates, innoculation records and any other trivia, information and flotsam that goes with a pedigree Dog or Horse or indeed Parrot. ...
      (comp.lang.python)