TUF Love - Page: 2.8 » Linux Magazine

Software updates and TUF

Conclusion

You can no longer assume downloading unsigned software is safe. Between programs like FinFisher and the verified incidents of widespread BGP route hacking, it is best to assume that even if you are not targeted by attackers, you might get caught up in a widespread attack. Relying on HTTPS isn't a safe bet anymore, because certificate authorities can issue fake certificates to government departments so that they can intercept SSL communications. What is needed is end-to-end signing of the data, as well as signed metadata – all of which TUF provides.

Infos

FinFisher: http://en.wikipedia.org/wiki/FinFisher
OpenSSL website compromised: http://www.openssl.org/news/secadv_hack.txt
TUF – The Update Framework: https://github.com/theupdateframework
Tor: https://www.torproject.org/
Survivable key compromise: http://freehaven.net/~arma/tuf-ccs2010.pdf
OpenGPG card: http://www.g10code.de/p-card.html
PEP 458: http://www.python.org/dev/peps/pep-0458/
TUF interface for RubyGems: http://rubyforge.org/pipermail/rubygems-developers/2013-November/007044.html
Targeted Internet traffic misdirection: http://www.renesys.com/2013/11/mitm-internet-hijacking/
Further improving digital certificate security: http://googleonlinesecurity.blogspot.ca/2013/12/further-improving-digital-certificate.html

The Author

Kurt Seifried is an Information Security Consultant specializing in Linux and networks since 1996. He often wonders how it is that technology works on a large scale but often fails on a small scale.

« Previous 1 2 3 4 5 6 7

Buy this article as PDF

Express-Checkout as PDF

Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES

SUBSCRIPTIONS

Print Subs

Digisubs

TABLET & SMARTPHONE APPS

US / Canada

UK / Australia

Related content

Security Lessons: Signing Code

Kurt looks at the practice of code signing and examines why so few upstream open source projects actually do it.

more »
Security Issue with FLAC Audio Codec

Loss free audio codecs are gaining in popularity with device manufacturers; right now, a vulnerability in the Free Lossless Audio Codec (FLAC) spoils users listening pleasure.

more »
Ubuntu Core 16

Canonical releases the minimal edition for embedded devices, Internet of Things, and cloud deployments.

more »
Security Updates for Firefox and Co

The Mozilla Foundation has just released Version 2.0.0.6 of its Firefox browser. The update fixes two security bugs. And there are new versions of both Thunderbird and Seamonkey.

more »
Security Lessons: Modified Code Attacks

Learn how to protect yourself against malicious attacks by modified source code.

more »

comments powered by Disqus

Visit Our Shop

Trial Subscription

Digital Subscription

Subscribe

Direct Download

Read full article as PDF:

Price $2.95

DevOps

Reinvent your network with DevOps tools and techniques:

AWS Automation Documents
Jekyll – A DIY HTML Engine
Automated Jenkins CI
Auditing Docker Containers in a DevOps Environment
Cloud Orchestration with Chef
Become a certified DevOps professional with the new Linux Professional Institute DevOps Tools Engineer certification."

News

Red Hat Enterprise Linux 7.5 Released

Community , Red Hat , Red Hat Linux

The latest release is focused on hybrid cloud.
Microsoft Releases a Linux-Based OS

Community , Kernel

The company is building a new IoT environment powered by Linux.
Solomon Hykes Leaves Docker

In a surprise move, Solomon Hykes, the creator of Docker has left the company.
Red Hat Celebrates 25th Anniversary with a New Code Portal

The company announces a GitHub page with links to source code for all its projects
Gnome 3.28 Released

Community , Gnome

The latest GNOME rolls out with better contact management and new features for handling virtual machines.
Install Firefox in a Snap on Linux

Community , Linux , Mozilla Foundation

Mozilla has picked the Snap package system to deliver its application to Linux users.
OpenStack Queens Released

OpenStack

The new release comes with new features for mission critical workloads.
Kali Linux Comes to Windows

Linux

The Kali Linux developers even managed to run full blown XFCE desktop via WSL.
Ubuntu to Start Collecting Some Data with Ubuntu 18.04

It will be an ‘opt-out’ feature.
CNCF Illuminates Serverless Vision

The Cloud Native Computing Foundation announces a paper describing their model for a serverless ecosystem.