Security Concern: Unsigned Windows Executable

Doug Bateman doug at dougbateman.net
Fri Jun 12 22:02:02 CEST 2009


Here's an interesting question.... why does GnuPG.org bother providing a GPG
signature with it's downloaded files?

I can guess at several possible reasons other than MitM attacks: (a) To
allow users to ensure mirrored copies are legit, (b) To safeguard against
tampering with the file on the download server (e.g. hacked server,
untrusted or hacked mirror, etc), (c) general peace of mind.  And yes, in
the unlikely event of an MitM attack, it helps too, but we'll assume that's
less likely than many other possible vulnerabilities.

So this raises the question... If we bother GPG signing our distributions,
why not also Authenticode sign the .exe's so that users who don't already
have GPG installed can verify the download?  Is it about cost (~$200/3
years)?  Is it about principle?  Is it about the effort to add the
authenticode signature to the Win32 build script?

And good answer to the prior question, Rynt.  Thanks!

Regards,
Doug

On Fri, Jun 12, 2009 at 11:14 AM, reynt0 <reynt0 at cs.albany.edu> wrote:

> On Tue, 9 Jun 2009 gpg2.20.maniams at dfgh.net wrote:
>  . . .
>
>> *some practical questions with the above as given *
>>
>> - Would It help if I had two networks to connect to ...say the home one
>> and
>> the office one ?
>>
>  . . .
>
> Phrasing my answer now in terms related to the original
> question starting this thread:  Simple file coherence can
> be used to maximize likelihood of getting an untampered
> file (assuming it is untampered as it exists at its download
> source(s)).  The more different locations people are at when
> they try downloads--and, if available, the more different
> sites from which they can download--gives them distinct
> download results which you can then compare to look for
> coherence agreement.  This also makes it less obvious for a
> network observer to know who is doing the downloading--the
> "anonymity of the flock" (like flock of birds).  (On the
> other hand, it may also give the impression to a network
> traffic *observer* that so many people are downloading a
> file that it would be worth the observer's effort to mount
> a tampering MitM *attack*.)  Depending on the network
> topology between your location(s) and the source location(s),
> the problem the would-be tamperer/attacker has, of where to
> position itself to be able to tamper, becomes harder.  But
> this is just one more simple tactic to add to checksum
> validations, file signing, etc.
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20090612/b9251038/attachment.htm>


More information about the Gnupg-users mailing list