TUF Love » Linux Magazine

Software updates and TUF

Conclusion

You can no longer assume downloading unsigned software is safe. Between programs like FinFisher and the verified incidents of widespread BGP route hacking, it is best to assume that even if you are not targeted by attackers, you might get caught up in a widespread attack. Relying on HTTPS isn't a safe bet anymore, because certificate authorities can issue fake certificates to government departments so that they can intercept SSL communications. What is needed is end-to-end signing of the data, as well as signed metadata – all of which TUF provides.

Infos

FinFisher: http://en.wikipedia.org/wiki/FinFisher
OpenSSL website compromised: http://www.openssl.org/news/secadv_hack.txt
TUF – The Update Framework: https://github.com/theupdateframework
Tor: https://www.torproject.org/
Survivable key compromise: http://freehaven.net/~arma/tuf-ccs2010.pdf
OpenGPG card: http://www.g10code.de/p-card.html
PEP 458: http://www.python.org/dev/peps/pep-0458/
TUF interface for RubyGems: http://rubyforge.org/pipermail/rubygems-developers/2013-November/007044.html
Targeted Internet traffic misdirection: http://www.renesys.com/2013/11/mitm-internet-hijacking/
Further improving digital certificate security: http://googleonlinesecurity.blogspot.ca/2013/12/further-improving-digital-certificate.html

The Author

Kurt Seifried is an Information Security Consultant specializing in Linux and networks since 1996. He often wonders how it is that technology works on a large scale but often fails on a small scale.

« Previous 1 2 3 4 5 6 7

Buy this article as PDF

Express-Checkout as PDF

Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES

Print Issues

Digital Issues

SUBSCRIPTIONS

Print Subs

Digisubs

TABLET & SMARTPHONE APPS

US / Canada

UK / Australia

Read full article as PDF:

Price $2.95

News

Heartbleed Bleeds On

According to a report, many potential victims of the Heartbleed attack have patched their systems, but few have cleaned up the crime scene to protect themselves from the effects of a previous intrusion.
Drone Brain Goes Open Source

DARPA and NICTA release the code for the ultra-secure microkernel system used in aerial drones.
Password Management Services Vulnerable to Attack

Should you trust an online service to store your online passwords?
New Raspberry Pi Adds Two USB Ports

New B+ board lets you build cool things without the complication of a powered USB hub.
Microsoft Grabs No-IP.com Domains

Redmond rushes in to root out alleged malware haven.
Firefox Steps into 3D

New initiative will bring futuristic virtual reality effects to the web surfing experience.
New Trojan Targets Online Banking

Dyreza malware launches a man-in-the-middle attack that compromises SSL.
HP Rolls Out Massive Cloud Network

New cloud combines worldwide access with local attention to data security.
New Attack Targets Wireless Logins

A first cousin of the recent Heartbleed attack affects EAP-based wireless and peer-to-peer authentication.
Geeks Petition for Free Lenovo BIOS

FOSS community acts to protect freedom of choice for laptop devices.