Software updates and TUF

Conclusion

You can no longer assume downloading unsigned software is safe. Between programs like FinFisher and the verified incidents of widespread BGP route hacking, it is best to assume that even if you are not targeted by attackers, you might get caught up in a widespread attack. Relying on HTTPS isn't a safe bet anymore, because certificate authorities can issue fake certificates to government departments so that they can intercept SSL communications. What is needed is end-to-end signing of the data, as well as signed metadata – all of which TUF provides.

Infos

  1. FinFisher: http://en.wikipedia.org/wiki/FinFisher
  2. OpenSSL website compromised: http://www.openssl.org/news/secadv_hack.txt
  3. TUF – The Update Framework: https://github.com/theupdateframework
  4. Tor: https://www.torproject.org/
  5. Survivable key compromise: http://freehaven.net/~arma/tuf-ccs2010.pdf
  6. OpenGPG card: http://www.g10code.de/p-card.html
  7. PEP 458: http://www.python.org/dev/peps/pep-0458/
  8. TUF interface for RubyGems: http://rubyforge.org/pipermail/rubygems-developers/2013-November/007044.html
  9. Targeted Internet traffic misdirection: http://www.renesys.com/2013/11/mitm-internet-hijacking/
  10. Further improving digital certificate security: http://googleonlinesecurity.blogspot.ca/2013/12/further-improving-digital-certificate.html

The Author

Kurt Seifried is an Information Security Consultant specializing in Linux and networks since 1996. He often wonders how it is that technology works on a large scale but often fails on a small scale.

« Previous 1 2 3 4 5 6 7

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
Print Issues
Digital Issues
 
SUBSCRIPTIONS
Print Subs
Digisubs
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus

Visit Our Shop

Trial Subscription

Digital Subscription

Subscribe

Direct Download

Read full article as PDF:

Price $2.95

DevOps

News

Tag Cloud

Administration Community Events Hardware Linux Linux New Media Linux Pro Magazine Mobile Programming Software Ubuntu Web Development Windows free software open source