On Mon, 04 Aug 2003 10:37:20 -1000, Jason Coombs said: > > Closing down *most* of these exposures is why the 'rpm' package manager > > supports using PGP to sign the packages... > > You *do* realize that digital signatures can be forged with theft of private > keys, right?
Yep, fully aware of that. On the other hand, there's the *presumption* that the machine that RedHat or Sendmail do the signing on is somewhat more hardened than the externally-visible server that the files live on. I was also aware of all the other points you brought up - which is why I said "*most* of the holes" - the note was getting quite long enough already. (As it was, I axed a mention of the Verisign/Microsoft cert whoops due to length - if I hadn't scared the OP off the concept of automated updates already, adding more to the list wouldn't change matters). On the flip side, *most* of the interesting MITM attacks on code update require the attacker to wait for the target to do an update. For the *vast* majority of systems on the Internet, the benefit of having recently patched code or AV-scanner signatures *far* outweighs the risks of actually being targeted during an update. There is, indeed, no absolute security - it's all about minimizing *total* risk. Remember - you're downloading the update (code or AV) to fix a *known* exposure. How bad a burn would Mimail have had if people *didnt* have automated AV updates? How much less of a burn would CodeRed or Nimda have had if more people had visited WindowsUpdate on a regular basis? It's the same issue as vaccinating children against diseases - yes, some very small percentage of children do have nasty side effects from the various vaccines. But that needs to be balanced against the dangers of not being vaccinated at all....
pgp00000.pgp
Description: PGP signature