lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sat, 20 Sep 2003 20:08:25 -0400
From: "Jonathan A. Zdziarski" <jonathan@...learelephant.com>
To: Piermark <bugs84@...ero.it>
Cc: bugtraq@...urityfocus.com, security-basics@...urityfocus.com,
   full-disclosure@...ts.netsys.com
Subject: OpenSSH Mirror "Mallory" Attack Vulnerability [Was: Re: <Advice>
 Possible Backdoor into openssh-3.7.1p1-i386-1.tgz from Slackware Mirror]

Looking at how the mirrors for all the openssh distros are laid out, I
don't see much point in trying to verify them using PGP unless you've
previously imported it.  Each mirror contains the public key, the file,
and the signature in the same directory, so any first-time downloader
could get a tainted distribution with an "authentic" signature.  If
somebody did manage to find a way to hack a mirror, they could easily
copy over their public key, hacked file, and signature.  At the very
least, the public key needs to be kept on a different set of [secure]
servers, possibly even with an MD5 of the public key sitting on a third
server just to make it all the more difficult to falsify
authentication.  

I haven't looked lately, is this a common practice with mirror sites and
PGP signing distributions? If so, it seems to eliminate the purpose PGP
signing was originally intended for.






Content of type "text/html" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ