TUF Love - Page: 2.8 » Linux Magazine

Software updates and TUF

Conclusion

You can no longer assume downloading unsigned software is safe. Between programs like FinFisher and the verified incidents of widespread BGP route hacking, it is best to assume that even if you are not targeted by attackers, you might get caught up in a widespread attack. Relying on HTTPS isn't a safe bet anymore, because certificate authorities can issue fake certificates to government departments so that they can intercept SSL communications. What is needed is end-to-end signing of the data, as well as signed metadata – all of which TUF provides.

Infos

FinFisher: http://en.wikipedia.org/wiki/FinFisher
OpenSSL website compromised: http://www.openssl.org/news/secadv_hack.txt
TUF – The Update Framework: https://github.com/theupdateframework
Tor: https://www.torproject.org/
Survivable key compromise: http://freehaven.net/~arma/tuf-ccs2010.pdf
OpenGPG card: http://www.g10code.de/p-card.html
PEP 458: http://www.python.org/dev/peps/pep-0458/
TUF interface for RubyGems: http://rubyforge.org/pipermail/rubygems-developers/2013-November/007044.html
Targeted Internet traffic misdirection: http://www.renesys.com/2013/11/mitm-internet-hijacking/
Further improving digital certificate security: http://googleonlinesecurity.blogspot.ca/2013/12/further-improving-digital-certificate.html

The Author

Kurt Seifried is an Information Security Consultant specializing in Linux and networks since 1996. He often wonders how it is that technology works on a large scale but often fails on a small scale.

« Previous 1 2 3 4 5 6 7

Buy this article as PDF

Express-Checkout as PDF

Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES

SUBSCRIPTIONS

Print Subs

Digisubs

TABLET & SMARTPHONE APPS

US / Canada

UK / Australia

Related content

Security Lessons: Modified Code Attacks

Learn how to protect yourself against malicious attacks by modified source code.

more »
Security Lessons: Signing Code

Kurt looks at the practice of code signing and examines why so few upstream open source projects actually do it.

more »
Security Lessons

Researchers set out to compromise MD5 in an effort to convince people to stop using it. We explain how the attack worked and what this means for you.

more »
Security Issue with FLAC Audio Codec

Loss free audio codecs are gaining in popularity with device manufacturers; right now, a vulnerability in the Free Lossless Audio Codec (FLAC) spoils users listening pleasure.

more »
Drupal Advisory Unleashes a Torrent of Attacks

Users only had 7 hours to update before the intrusions started.

more »

comments powered by Disqus

Visit Our Shop

Trial Subscription

Digital Subscription

Subscribe

Direct Download

Read full article as PDF:

Price $2.95

News

Nextcloud Announces Raspberry Pi-Powered Home Cloud Box

Innovative system adds a hard drive and Ubuntu Core to the RPi for an IoT hub.
Linus Torvalds Confirms the Date of the First Linux Release

Linux is two weeks younger than we thought!
End of OpenOffice?

OpenOffice

The Apache Software Foundation considers retiring OpenOffice
Adobe Gives New Life to NPAPI Plugin for Linux

Adobe Flash , Flash Player

Adobe won’t kill the plugin in 2017
LinuxCon North America Convenes in Toronto, Canada

Linux Foundation's big event celebrates the 25th anniversary of Linux
Linux Turns 25

Linux has evolved from “won’t be a professional” project to one of the most professional software projects in the history of computers.
Mirantis Joins Hands with SUSE To Offer RHEL Support; Red Hat Not Happy

Competitors get in the game with RHEL without Red Hat
Linux on Windows 10 Poses a Security Risk

Security researchers have already notified Microsoft; some fixes are available
Mirantis to Refactor OpenStack Fuel for Kubernetes

The company is collaborating with Google and Intel to use Kubernetes as an engine for Fuel
Canonical Joins Document Foundation Advisory Board

The upcoming release of LibreOffice will be available as a snap package