On Fri, Mar 16, 2012 at 8:16 PM, Jonas Sicking <jo...@sicking.cc> wrote: > On Wed, Mar 14, 2012 at 2:35 PM, Lucas Adamski <ladam...@mozilla.com> wrote: >> My understanding is that there will be multiple app stores. But code >> signing has another benefit: reducing systemic risk. >> >> This assume code signing and sane key management, but lets say there's a >> very popular app with significant privileges. >> To compromise a large number of people, you'd need to: >> a) compromise the site hosting the app >> b) compromise the key signing the app (assuming you require app updates to >> be signed with the same key) >> c) compromise or trigger the update mechanism for the app >> d) wait for updates to trickle out >> >> This is a tedious process that slows down exploitation, and that's no fun. >> >> If app authentication relies only on SSL, then you just need to pop a web >> server (which isn't hard, really). Everyone >> using the app gets owned simultaneously. > > If we rely on only SSL we still get a), c) and d) AFAICT. Signing only > adds b). The other question is, how do you deliver the keys? It would > have to be through some mechanism other than through the web server to > add any level of security.
now that this problem has been raised, i hope it highlights why debian has the "apt-keyring" concept, because it solves exactly this problem. and because the whole shebang uses GPG not SSL, it's like... done properly? yknow? :) $ apt-cache search keyring debian debian-maintainers - GPG keys of Debian maintainers debian-archive-keyring - GnuPG archive keys of the Debian archive debian-edu-archive-keyring - GnuPG archive keys of the Debian Edu archive debian-keyring - GnuPG keys of Debian Developers debian-ports-archive-keyring - GnuPG archive keys of the debian-ports archive devscripts - scripts to make the life of a Debian Package maintainer easier emdebian-archive-keyring - GnuPG archive keys for the emdebian repository jetring - gpg keyring maintenance using changesets debian-multimedia-keyring - GnuPG archive key of the debian-multimedia repository btw, just for a larf: $ apt-cache show debian-keyring Package: debian-keyring Version: 2011.12.01 Installed-Size: 42369 42mb for a keyring!! that's one hell of a lot of keysigning parties :) **note the description**: Description-en: GnuPG keys of Debian Developers The Debian project wants developers to digitally sign the announcements of their packages with GnuPG, to protect against forgeries. This package contains keyrings of GnuPG and keys of developers. hint, hint. "to protect against forgeries". l. _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security