Check Who Signed Off On Your Software

An anonymous reader submits "The Software Sig Page encourages software maintainers to publish verifiable signatures for released software and to build the web of trust among software maintainers and software users. If you're afraid of downloading a trojaned OpenSSH, being 0wned while capturing packets, compiling an MTA as well as a backdoor on your system, not being able to trust tools you use every day, or never having a chance from the moment your OS boots, then you want some level of assurance that the software you use is everything the mainatainers expected you to have and no more. Look and check the MD5 and PGP signatures that come with software you download."

This seems like an issue for OSS

[ObviousGuy]

If you have the actual shrink-wrapped product CD with appropriate holograms, this isn't an issue.

If you're downloading god-knows-what from the Internet, you're taking a big chance, and this latest idea is probably pretty good for those people.

Nope..

[fforw]

If you have the actual shrink-wrapped product CD with appropriate holograms, this isn't an issue.

Who tells you that no one compromised the data before it was put on the CD?
How can you be sure that the software companies compilers aren't compromised? (see Reflections on trusting Trust [wbglinks.net])

Even if the software you bought isn't compromised by any third party - can you trust the software company ?

Re:Nope..

[Tom7]

How can you be sure that the software companies compilers aren't compromised?

If they are, then digital signatures will do nothing but provide you with a false sense of security!

Re:

[account_deleted]

Comment removed based on user account deletion

Re:This seems like an issue for OSS

[Just Some Guy]

If you have the actual shrink-wrapped product CD with appropriate holograms, this isn't an issue.

That's right. Because no software houses suffer from hacked networks. Because all sub-contractors are trustworthy. Because the source used to generate a CD is inherently more secure than a source used to generate a downloadable file.

Do you know that Microsoft is the only party that ever touches their data before it gets pressed and shipped? If you thought so, you're wrong.

Re:This seems like an issue for OSS

[a_hofmann]

don't forget all those updates and patches that are added after installing from an (probably safe) cd...

as long as there is no wide ranging crypto tech working in software distribution, talking about security is nonsense.

Re:This seems like an issue for OSS

[Anonymous Coward]

Didn't stop MS from including a virus on an MSDN CD a while back...

Re:This seems like an issue for OSS

[Aurix]

Do you have an URL perchance? I couldn't find anything on Google.

MD5

[FishermansEnemy]

I always thought that people checking the MD5SUMS were paranoid freaks, but now I can see why it would be a good idea. I, for one, will now be checking my downloads.

Good for a small market

[Mork29]

Lets face it, the average user doesn't know what an MD5 checksum or PGP even are. It's a sad thing, because most security tools are easy to use, and would make the internet a safer place, but the fact of the matter is that you still have people opening up e-mail viruses that are an attachment with a notepad icon. [symantec.com] Although if you know how you should, we need to find a safe delivery system that's a bit easier for the average joe, who seems to enjoy living on the edge, downloading lots of shareware, and clicking on every e-mail attachment they get.

BSD ports tree required MD5 check

[dwoolridge]

At least for FreeBSD, package maintainers must create an MD5 signature for packages that are downloaded (from source or mirror). If you try to build a port with a signature mismatch, the build bails. So, not only does the source site's code need to be trojaned, but the ports tree entry has to be modified too (and the sysadmin has to update the ports tree).

Since Gentoo has a ports-style package management system, perhaps it does something similar.

Re:BSD ports tree required MD5 check

[billatq]

Indeed. Gentoo comes with md5 hashes on the portage tree.

Re:BSD ports tree required MD5 check

[Triumph The Insult C]

iirc, this is how the openssh trojan was discovered. a freebsd user was compiling openssh from ports and it wasn't compiling properly because of this.

be aware of what you are checking..

[molo]

You should be careful how much trust you put into these signatures. MD5 sums only tell you that the file hasn't been modified between the download server and your computer. If the software was trojaned, the MD5 sum can be changed to match the new trojaned software.

If there is a PGP signature, but it is from an untrusted key, that is no better than a MD5 sum. Anyone can create a PGP key with any name on it and upload it to the public keyservers. The real authentication comes from the web-of-trust. Of course, there are some mitigating factors.. like having the author sign with the same key for previous releases and then you notice that the key has changed. That can help, but only if you are vigilant.

The web-of-trust is the real important factor here. If you are a software distributor, try to get your keys signed by multiple people in the well-connected group.

If you are a software user, see if you can find a key that you trust enough to sign it.. either by a face-to-face identification verification (with a signature that you can upload to the keyservers), or by using a well-accepted key in the well-connected set and signing it LOCALLY (so that it doesn't get uploaded to the keyservers and pollute the trusted set for other users). Something from the top-50 signed keys [kjsl.com] would be suitable:.

Sites like biglumber.com [biglumber.com] maintain a list of people interested in key signings in different localities. This is a big help in getting some signatures and connecting yourself to the well-connected-set of keys.

Also, if you want to check the path of trust between two keys, check out the PGP Pathfinder [earth.li]. An example is the path from Werner Koch (GPG author) to Phil Zimmerman (PGP author) [earth.li].

This will enable you to build up your web-of-trust, which really indicates that the keys belong to who they say they do. PGP is your friend, use it wisely.

-molo

Slackware packages..

[geggibus]

..are pgp signed.

-K

It's not the trojans that worry me

[Tom7]

In truth, I'm more afraid of accidental errors made by developers with good intentions (as have shown up in just about every security-critical C program I've ever used) than trojans slipped in my miscreants. Sadly, digital signatures and hashes can do nothing to help me here...

The web of trust

[looseBits]

If my PGP key has a hundred signatures, that doesn't make me a nice guy and it doesn't mean that I don't write software with Comet Cursor like features. All it means is that I am who I say I am. If Osama bin Laden or John Ashcroft came into my house and asked me to sign their key, I would but that doesn't mean I would trust software written by either of them.

Mediocre solutions

[Anonymous Coward]

You should obtain the MD5 signature for software from a different place than you received the software from.

This is a best-case scenario with MD5sums, and even a best case is pretty worthless. Debian up until very recently has relied on MD5sums, which are little more than a false sense of security. Yes, if the person who uploads a trojaned package forgets to update the MD5sum that goes along with it, you will know. The problem is they won't forget, they will update it, and you won't know what hit you. The advantage comes when you download the MD5sum from another site like they recommend here. Not only does the attacker have to break a second site's security (assuming they can't just break it once higher upstream, defeating this weak method of security), they have to know which site to break into to upload the MD5 to or else you will get the right one and know.

The problem is, MD5 never protected from man in the middle attacks. Anyone between you and the internet (or some kid in the next dorm room) can simply hijack your connection (dns spoofing works great, they are close and can give a response to your dns request faster than the real server, and give their own IP address). Then once you are connected to them, they just become a transparent proxy for the site you are supposed to be using. Your software updater asks for a package that the attacker has pre-prepared, sends that instead of what you expected, and when you ask for the md5 (no matter who you ask) they pretend to be the source and give you the hacked MD5. Using MD5 for security like this is like eating leather when you run out of food. It is not acceptable.

So what is? PGP? Yes and no. PGP allows you to trust that a developer believes that their binary and source are good. What if that developer has been trojaned? Well, I guess everybody else who uses that software is too. Look at the recent debian hack. If the exploit the attacker used worked on 64-bit systems, the main machine that signs and distributes compiled binaries would have been hacked. Great, now we have PGP signed trojans. Clearly using PGP does not make you bulletproof.

So what do we do? I know many will be happy with nonsense like "nothing is perfect", hell, people used to argue against encryption on those grounds on the debian mailing lists. The argument went like this. People know that MD5 is insecure, so it keeps them on their toes, but people think PGP is perfect and might get lazy. Uh huh. Lets keep the system broken so that we know there is at all times a gaping hole in our system that would make the goatse man jealous.

Here is what I think we should do. First require developers to sign their source code before release. That is just a first step. Second, have many reviewers. Lots of people read patches before they apply them to be sure that there are no back doors. These people should also sign the patches. Once there are enough signatures on source saying it is good, a distributed compilation takes place. Again signatures are compared, this time of the binaries (or a tarball of them). Yes there will be a few complications, the compiler systems will need to be similar enough to produce exact code, or the insignificant portions of the binary can be ignored in the checksum - whatever, we can handle that problem. As long as everyone uses the same version of GCC, or it is at least specified which one was used (and which switches were used for ./configure) there can now be many signed binary packages that are practically as transparent as the source code.

Who trusts who might seem like a big deal, but really it isn't. Debian can require that the source code is verified by certain people before being compiled, and the binaries signed by certain people before official distribution. The NSA will likely choose completely different people to check source code, and have their own compile farms. Who will I trust? Well put it this way. I would want to know what both Debian and the NSA have to say, especially if they disagree. I will listen

Simple...

[inertia187]

Sounds like we need some kind of trusted computing paradigm. I hear a company who's name starts with M and ends with icrosoft is working on something like that. We can trust them, I'm sure.