On Thu, Dec 06, 2007 at 11:48:55AM +0100, Hannah Schroeter wrote:
> One risk would be the plans of "online surveillance" of computers e.g.
> in Germany. One way to install surveillance even on OpenBSD would be to
> actively interfere with the internet connection with the surveilled
> person, in the man-in-the-middle sense, and inject trojanned code
> ("Bundestrojaner") into the updates of the victim.
Using software from any source without interference from an
all-pervasive government is a very special, but unfortunatly today, a
very real issue for many people around the world. To be secure, you
have to get pieces of the puzzle over multiple paths. It all can't come
via the net since then you're open to man-in-the-middle.
Key-revocation announcements could come over the net (via an announce
list) but the new key would then have to come over a second channel.
One second-channel option is the q6mth CD issue, which could include a
new public key and e.g. known-hosts fingerprints. This is vulnerable to
a very determined man-in-the-middle who can replicate and then alter the
CD before it arrives to you in the mail.
Another option is a trusted courier flying to Alberta and get a CD from
the OpenBSD store (yeah, right).
In fact, likely any other technological option (e.g. an answering
machine in Alberta that spits out the alphanumerics of the current
master public key) is still suceptible.
If every piece of information you receive is filter through your
government, is there any hand-shaking protocol that can allow you to
establish a verified information connection (not necessarily encrypted)?
I don't think so.
Sure, Debian has signed .debs that use gpg as a back end (the system is
called apt-key), it relies on you trusting the fist key that you get
from them. Since Debian doesn't actually mail out its own CDs,
everything is off its mirrors. apt-key only 'protects' you from a later
man-in-the-middle.
I think that this is the central 'problem' that people are dancing
around.
Personally, if this thread is to continue, I would like to see it move
from a "Why doesn't OpenBSD do things this way?" to a "What are the
threat models for OpenBSD identity theft and how can we protect
ourselves?".
Doug.
