[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5639) Digital (PGP-)signature for downloadable sources

On Aug 4, 2008, at 9:56 PM, h.b.furuseth@usit.uio.no wrote:

> Kurt@OpenLDAP.org writes:
>> On Aug 4, 2008, at 2:06 PM, h.b.furuseth@usit.uio.no wrote:
>>> Kurt@OpenLDAP.org writes:
>>>> I note as well that properly deploying release signing requires
>>>> more than script modification.  For instance, one does need to
>>>> consider that the host to sign the releases might itself been
>>>> taken over and the implications of such a takeover.
>>> For that part, signatures in the 'https:' site would help.
>> I think you need to re-think that assertion.
> Er, yes, I was thinking of the "outside" equivalent, hacking DNS and
> "taking over" that way.

Those mounting such attacks are more likely to take over google.com  
than openldap.org.

> I have the impression that's the most common way to "take over" a  
> site, but I may be wrong.

I would say it's a more commonly talked about "take over" approach at  
present.  Though I don't know if its more common that other major site  
"take over" approaches.  But "take over" of small sites, such are  
openldap.org, are different because the goal is different.  Folks  
"take over" major sites (generally in an isolated way, such as via a  
particular ISP) because there is a reasonable chance that users will  
access the taken over site.  These take overs often are attempts to  
install malware on user systems (be careful, that google search button  
might not be a true google search button).

Take over of small sites is commonly done to deface the site, to gain  
notoriety or to grind an axe or something.

So, I'm not particularly worried about former, but am worried about  
the latter.

But you and others brought up https:// in the context of a PGP signing  
discussion.  This is, I think, confused.

-- Kurt