lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: 29 Apr 2003 00:52:50 -0500
From: Frank Knobbe <fknobbe@...bbeits.com>
To: jasonc@...ence.org
Subject: RE: Windows Server 2003 Security Guide available

On Fri, 2003-04-25 at 16:27, Jason Coombs wrote:
> [...]
> For every .exe that Microsoft distributes, it should consider publishing a
> known good full-file hash code so that a hash verification tool of the user's
> choice can be used, on a platform of the user's choice, to verify that the
> file received over the network is the file they expected -- BEFORE attempting
> to use a tool like Windows Explorer to read structured information such as
> digital signature data out of the PE file's header sections.
> [...]

Jason,

I'm not sure how much a file hash will do to alleviate your concern
about MITM attacks. If for example MS web site gets hijacked, or somehow
else someone is able to replace the downloadable files, what stops them
from generating a new SHA-1 or MD5 hash?

While hashes can verify the integrity of a file, it doesn't do anything
to verify the authenticity of a file. That can only be done through a
signature. Of course that requires you to actually trust such a
signature/signer and trust in the method of verifying these signatures.

It sounds like you find flaws in the signature verification of Explorer.
While I agree that is substandard (how many patches are unsigned, but
people install them anyway?), I do believe that only signatures can
correct the deficiency you outline.

In a perfect world, MS would make their white papers available in an
widely adopted standard like PDF or PS files, and sign them using
PGP/GPG. But since this is not a perfect world, and we have to accept
proprietary .doc files or OS dependent executables, why not use a sub
optimal verification process? 

Regards,
Frank


Download attachment "signature.asc" of type "application/pgp-signature" (188 bytes)

Powered by blists - more mailing lists