Security Concern: Unsigned Windows Executable
reynt0 at cs.albany.edu
Fri Jun 12 20:14:40 CEST 2009
On Tue, 9 Jun 2009 gpg2.20.maniams at dfgh.net wrote:
. . .
> *some practical questions with the above as given *
> - Would It help if I had two networks to connect to ...say the home one and
> the office one ?
. . .
Phrasing my answer now in terms related to the original
question starting this thread: Simple file coherence can
be used to maximize likelihood of getting an untampered
file (assuming it is untampered as it exists at its download
source(s)). The more different locations people are at when
they try downloads--and, if available, the more different
sites from which they can download--gives them distinct
download results which you can then compare to look for
coherence agreement. This also makes it less obvious for a
network observer to know who is doing the downloading--the
"anonymity of the flock" (like flock of birds). (On the
other hand, it may also give the impression to a network
traffic *observer* that so many people are downloading a
file that it would be worth the observer's effort to mount
a tampering MitM *attack*.) Depending on the network
topology between your location(s) and the source location(s),
the problem the would-be tamperer/attacker has, of where to
position itself to be able to tamper, becomes harder. But
this is just one more simple tactic to add to checksum
validations, file signing, etc.
More information about the Gnupg-users