Re: Reflections on Trusting Trust
- From: Alexander Leidinger <netchild@xxxxxxxxxxx>
- Date: Wed, 30 Nov 2005 19:42:50 +0100
On Thu, 1 Dec 2005 05:15:30 +1100
Peter Jeremy <PeterJeremy@xxxxxxxxxxxxxxxx> wrote:
> On Wed, 2005-Nov-30 14:43:43 +0100, Alexander Leidinger wrote:
> >Kurt Seifried <listuser@xxxxxxxxxxxx> wrote:
> >
> >>should have people upload their keys. On another note I am available
> >>to sign PGP keys (proving your key/identity is an excercise left to
> >>the reader =),
> >
> >or to the signer... the keys are available in the handbook (either from
> >www.freebsd.org or in raw from http://cvsweb.freebsd.org/doc)
>
> But how do I know that the data I download from *.freebsd.org hasn't
> been tampered with? Either by a MITM attack between me and the real
> *.freebsd.org site or a DNS attack redirecting me to a third site.
> This was the nub of my original posting.
Yes, I know. But if you get the same *wrong* data (for the PGP keys it's
relatively easy to verify) from several locations (cvsup*.FreeBSD.org +
cvsweb.freebsd.org + www.freebsd.org, don't forget to check if they
point to a reasonable amount of different IP's; the printed handbook
and the handbook on the release CDs), then you have other things to
worry about...
> > And AFAIK this is all PGP is supposed to verify, that the person
> >behind "user@xxxxxxxxxxx" is the same as the person with access to the
> >secret key for this address.
>
> PGP is susceptable to MITM attacks - Ann asks Bruce for his public
> key. Mallory intercepts the request and substitutes his own public
> key. He can then intercept, alter and re-sign following exchanges so
> neither Ann nor Bruce realise they have an intruder.
Yes, in theory. In practice there's a point where you either say "I
trust this", or you say "if I can't trust this from this point on, I
don't have to worry about it, since I'm busted already". See above.
> >But this assumes the signer trusts the FreeBSD.org security:
>
> If you don't trust the FreeBSD Project you wouldn't run FreeBSD.
>
> > Without ssh access there's no way to insert a key into the CVS
> >repository.
>
> Assuming no security holes in the infrastructure... How can I tell
Yes.
> that my private copy of the FreeBSD Project's CVS repository is the
> same as the one on whatever.FreeBSD.org?
Assuming enough resources: ATM only by downloading all and diffing
them. If they all match, you are either busted already since the
attacker controls too much, or you can say the probability is high
enough that you got a copy of the original repository.
Bye,
Alexander.
--
http://www.Leidinger.net Alexander @ Leidinger.net
GPG fingerprint = C518 BC70 E67F 143F BE91 3365 79E2 9C60 B006 3FE7
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"
- Follow-Ups:
- Re: Reflections on Trusting Trust
- From: Peter Jeremy
- Re: Reflections on Trusting Trust
- References:
- Re: Reflections on Trusting Trust
- From: Peter Jeremy
- Re: Reflections on Trusting Trust
- Prev by Date: Re: Reflections on Trusting Trust
- Next by Date: Re: Reflections on Trusting Trust
- Previous by thread: Re: Reflections on Trusting Trust
- Next by thread: Re: Reflections on Trusting Trust
- Index(es):
Relevant Pages
|
|
