Security Concern: Unsigned Windows Executable
doug at dougbateman.net
Sun Jun 7 06:56:39 CEST 2009
I've been fairly quite after the original post, as I'm out of the country
for the next week. But I do want to reply (and hope to give a better reply
once I'm back home). I do agree that sophisticated Man in the Middle
attacks are hard to do. And I'm well aware of the idea that PGP stood for
privacy that was "Pretty Good", not perfect. And in the chain of trust,
there is only "good enough" because the Rabbit Hole goes down forever (do
you trust your cpu and it's microcode, the bios, the people who signed a
key/cert, and yeah, the NSA could be sniffing for EM signatures of harddrive
writes). And of course, I'd be disapointed if the GPG community wasn't
quick to raise thes issues and point out every suttle error of argument in
the original email. After all, this is a coommunity dedicated to
establishing the meaning of a circle of trust.
But I'm afraid that RJH here is the only one who really focused on the true
intent of the original emiail. It was really quite a simple objective... I
want "Pretty Good" certainty that the .EXE I download is the .EXE produced
by the GPG community. And in the case of Windows, this Pretty Good certainy
when downloading the Win32 GPG client is the important first step in
establishing an ongoing PGP style chain of trust. Using the downloaded
Win32 GPG client to then check it's own integrity, absent some other
available check, just doesn't meet what I'd consider "Pretty Good" message
integrity (nor is it "Pretty Bad"... yes, it's somewhere in the middle, as
script kiddies would find it difficult to hack and the NSA would surely win
regardless if they tried).
I really respect RJH's reply, as he gave concrete recommendations on how I
can verify the authenticity of the download. It's a bit user-unfriendly, as
it involves getting a trusted copy of linux first, but that can be done. I
thank you Robert.
So here's the suggestion... for only $80/year for a 3-year certificate, you
can sign the EXE using the Windows Authenticode standard (or the mac code
signing standard, or the Java Jar signing standard, and many other systems
that use CERTS for code signing). Then, everyone downloading GPG onto
Windows, Mac, or elsewhere can verify the signature on the downloaded file.
Is it perfect, no. Could the private key be stolen. Of course. But is it
"Pretty Good" by the community standard. You bet. And now GPG can be used
from there on, establishing access to the GPG circule of trust for that
To the community, I ask... rather than having a debate of the nature of
vulnerabilities and how easy it is for a 4-year-old linux based home router
to be hacked or which skills would be needed to use that hacked router in an
MTM attack, why not ask ourselves how we can do a little bit more to make
our privacy even more secure. As a community, we do value message
integrity, privacy, trust, and certainty, yes? Codomo will sell a 3-year
cert for $240. Heck, I'll even throw in the $240 if the community agrees to
use cert to sign future Windows & Mac clients using the native OS's code
signing system (Authenticode on windows).
In summary, a program can't remain "Pretty Good" for long, if people aren't
always looking for ways to make "Pretty Good" even better. And after all,
isn't that what this community is about? Making Pretty Good even better,
and trust accessible to everyone, regardless of platform.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnupg-users