TUF Love - Page: 2.8 » Linux Magazine

Software updates and TUF

Conclusion

You can no longer assume downloading unsigned software is safe. Between programs like FinFisher and the verified incidents of widespread BGP route hacking, it is best to assume that even if you are not targeted by attackers, you might get caught up in a widespread attack. Relying on HTTPS isn't a safe bet anymore, because certificate authorities can issue fake certificates to government departments so that they can intercept SSL communications. What is needed is end-to-end signing of the data, as well as signed metadata – all of which TUF provides.

Infos

FinFisher: http://en.wikipedia.org/wiki/FinFisher
OpenSSL website compromised: http://www.openssl.org/news/secadv_hack.txt
TUF – The Update Framework: https://github.com/theupdateframework
Tor: https://www.torproject.org/
Survivable key compromise: http://freehaven.net/~arma/tuf-ccs2010.pdf
OpenGPG card: http://www.g10code.de/p-card.html
PEP 458: http://www.python.org/dev/peps/pep-0458/
TUF interface for RubyGems: http://rubyforge.org/pipermail/rubygems-developers/2013-November/007044.html
Targeted Internet traffic misdirection: http://www.renesys.com/2013/11/mitm-internet-hijacking/
Further improving digital certificate security: http://googleonlinesecurity.blogspot.ca/2013/12/further-improving-digital-certificate.html

The Author

Kurt Seifried is an Information Security Consultant specializing in Linux and networks since 1996. He often wonders how it is that technology works on a large scale but often fails on a small scale.

« Previous 1 2 3 4 5 6 7

Buy this article as PDF

Express-Checkout as PDF

Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES

Print Issues

Digital Issues

SUBSCRIPTIONS

Print Subs

Digisubs

TABLET & SMARTPHONE APPS

US / Canada

UK / Australia

Read full article as PDF:

Price $2.95

News

Cisco Releases Annual Security Report

Spammers go low-volume, and 90% of IE browsers are unpatched.
Zero Day Exploits Target Flash

Adobe scrambles to release patches for vulnerable Flash Player.
Intel Unveils Compute Stick

Four-inch-long computer on a stick lets you boot a full Linux system from any HDMI display device.
Obama Proposes Personal Data Notification Law

New statute would require companies to report break-ins to consumers.
TGXf Project Warns of File Transfer through Screen Pixels

Weird data transfer technique avoids all standard security measures.
Industry Giants Announce a Fix for the Password Mess

FIDO alliance declares the beginning of the end for old-style login authentication.
Poll: Vote for the Best Open Source Software for Photographers

The Linux New Media Awards have honored the most significant products, projects, people, and organizations for open source/Linux every year since 2000.
Debian Gets Forked

Legendary Uber-distro splits over the systemd controversy.
Linux Mint Project Releases Mint 17.1

New LTS version offers many refinements for the Cinnamon and Mate desktops and significant improvement under the hood.
CeBIT Open Source Forum Call for Papers

CeBIT Open Source , Forum

One of CeBIT’s most successful forums returns in 2015.