Hi all, Thanks for your response. Personally, the level of risk i am willing to deal with goes like this: if i can crack it then security is not good enough.
I have experience with basic mitm techniques like arp poisoning, transparent http proxies and tools like sslsplit. Although i can generate a bad CA and insert it into my own browser, pushing one into a lot of browsers requires one to be much more ressourceful. Yes, the CA model is flawed. Among its failures, my own personal favorites were the cases of diginotar and superfish. Still, it is much better than distribution over plain http which make attacks practical to anyone with the ability to pull zarp from github. Finally, i would also suggest sending more messengers to battle to mitigate the bizantine generals problem raised in the lwn.net article. In this case, that would mean a wider distribution of the keys. GPG keys could be pushed to different keys servers as well as being published on the download page, then on mailing list when a new release is announced, etc. Still not perfect but it should make an attack harder to mount and sustain. Cheers Marc-andré -- Marc-andré Labonté Senior system administrator McGill University and Génome Québec Innovation Centre 740, Dr. Penfield Avenue, Room 7203 Montréal (Québec) Canada H3A 0G1 On 07/02/2015 04:00 AM, Jonathan Hermann wrote: > Good article, thanks for posting! > And you're right, https isn't THE thing to trust in. > > > Mit freundlichen Grüßen / Kind regards > > Jonathan (Nathan) Hermann > > IT Specialist HPC and HPSS > Global Technology Services > ---------------------------------------- > IBM Deutschland > IBM-Allee 1 > 71139 Ehningen > Phone: +49-160-98976942 > E-Mail: [email protected] > ---------------------------------------- > IBM Deutschland Business & Technology Services GmbH / Geschäftsführung: Frank > Hammer, Thorsten Moehring > Sitz der Gesellschaft: Ehningen / Registergericht: Amtsgericht Stuttgart, HRB > 17122 > > > > From: Christopher Samuel <[email protected]> > To: [email protected] > Date: 02.07.2015 02:11 > Subject: Re: [xcat-user] how to validate gpg key. > > > > On 01/07/15 18:24, Jonathan Hermann wrote: > >> Just thinking out loud: if Marc-André's purpose is to validate content > that >> was downloaded via insecure http, then a gpg key downloaded via insecure >> http is somewhat pointless. I mean, statistically, chances are a bit > better >> that only one of both connections gets manipulated (if at all), but > still, >> the whole process in itself is vulnerable. > > However, even using https is not necessarily a great thing given the > recent history of CA security and the general level of (mis)trust in > centralised PKI systems these days. > > There's a nice LWN article on this issue from earlier this year on the > whole issue (focused mainly on distros, but the issues are the same for > any open source package): > > https://lwn.net/Articles/637595/ > > My feeling is that you have to set and clearly state the level of > paranoia/threat that you are willing to try and work to address and try > and avoid the temptation to go beyond that level (without updating your > statement first). > > All the best, > Chris > -- > Christopher Samuel Senior Systems Administrator > VLSCI - Victorian Life Sciences Computation Initiative > Email: [email protected] Phone: +61 (0)3 903 55545 > http://www.vlsci.org.au/ http://twitter.com/vlsci > > > ------------------------------------------------------------------------------ > > Don't Limit Your Business. Reach for the Cloud. > GigeNET's Cloud Solutions provide you with the tools and support that > you need to offload your IT needs and focus on growing your business. > Configured For All Businesses. Start Your Cloud Today. > https://www.gigenetcloud.com/ > _______________________________________________ > xCAT-user mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/xcat-user > > > > > > ------------------------------------------------------------------------------ > Don't Limit Your Business. Reach for the Cloud. > GigeNET's Cloud Solutions provide you with the tools and support that > you need to offload your IT needs and focus on growing your business. > Configured For All Businesses. Start Your Cloud Today. > https://www.gigenetcloud.com/ > _______________________________________________ > xCAT-user mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/xcat-user > ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ xCAT-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/xcat-user
