TUF Love - Page: 2.8 » Linux Magazine

Software updates and TUF

Conclusion

You can no longer assume downloading unsigned software is safe. Between programs like FinFisher and the verified incidents of widespread BGP route hacking, it is best to assume that even if you are not targeted by attackers, you might get caught up in a widespread attack. Relying on HTTPS isn't a safe bet anymore, because certificate authorities can issue fake certificates to government departments so that they can intercept SSL communications. What is needed is end-to-end signing of the data, as well as signed metadata – all of which TUF provides.

Infos

FinFisher: http://en.wikipedia.org/wiki/FinFisher
OpenSSL website compromised: http://www.openssl.org/news/secadv_hack.txt
TUF – The Update Framework: https://github.com/theupdateframework
Tor: https://www.torproject.org/
Survivable key compromise: http://freehaven.net/~arma/tuf-ccs2010.pdf
OpenGPG card: http://www.g10code.de/p-card.html
PEP 458: http://www.python.org/dev/peps/pep-0458/
TUF interface for RubyGems: http://rubyforge.org/pipermail/rubygems-developers/2013-November/007044.html
Targeted Internet traffic misdirection: http://www.renesys.com/2013/11/mitm-internet-hijacking/
Further improving digital certificate security: http://googleonlinesecurity.blogspot.ca/2013/12/further-improving-digital-certificate.html

The Author

Kurt Seifried is an Information Security Consultant specializing in Linux and networks since 1996. He often wonders how it is that technology works on a large scale but often fails on a small scale.

« Previous 1 2 3 4 5 6 7

Buy this article as PDF

Express-Checkout as PDF

Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES

SUBSCRIPTIONS

Print Subs

Digisubs

TABLET & SMARTPHONE APPS

US / Canada

UK / Australia

Related content

Security Lessons: Modified Code Attacks

Learn how to protect yourself against malicious attacks by modified source code.

more »
Security Lessons: Signing Code

Kurt looks at the practice of code signing and examines why so few upstream open source projects actually do it.

more »
Security Lessons

Researchers set out to compromise MD5 in an effort to convince people to stop using it. We explain how the attack worked and what this means for you.

more »
Security Issue with FLAC Audio Codec

Loss free audio codecs are gaining in popularity with device manufacturers; right now, a vulnerability in the Free Lossless Audio Codec (FLAC) spoils users listening pleasure.

more »
Drupal Advisory Unleashes a Torrent of Attacks

Users only had 7 hours to update before the intrusions started.

more »

comments powered by Disqus

Visit Our Shop

Trial Subscription

Digital Subscription

Subscribe

Direct Download

Read full article as PDF:

Price $2.95

News

Old Vulnerabilities Are Kept Alive Through Bad Configuration

HP's annual Cyber Risk report offers a bleak look at the state of IT.
Linus Torvalds Announces Linux 4.0

But what do the big numbers really mean?
Microsoft Frees CoreCLR

.NET , CoreCRL , open source

.NET Core execution engine is the basis for cross-platform .NET implementations.
New Trojan Attacks Linux Servers

Xnote

The Xnote trojan hides itself on the target system and will launch a variety of attacks on command.
Cisco Releases Annual Security Report

Spammers go low-volume, and 90% of IE browsers are unpatched.
Zero Day Exploits Target Flash

Adobe scrambles to release patches for vulnerable Flash Player.
Intel Unveils Compute Stick

Four-inch-long computer on a stick lets you boot a full Linux system from any HDMI display device.
Obama Proposes Personal Data Notification Law

New statute would require companies to report break-ins to consumers.
TGXf Project Warns of File Transfer through Screen Pixels

Weird data transfer technique avoids all standard security measures.
Industry Giants Announce a Fix for the Password Mess

FIDO alliance declares the beginning of the end for old-style login authentication.