TUF Love » Linux Magazine

Software updates and TUF

Conclusion

You can no longer assume downloading unsigned software is safe. Between programs like FinFisher and the verified incidents of widespread BGP route hacking, it is best to assume that even if you are not targeted by attackers, you might get caught up in a widespread attack. Relying on HTTPS isn't a safe bet anymore, because certificate authorities can issue fake certificates to government departments so that they can intercept SSL communications. What is needed is end-to-end signing of the data, as well as signed metadata – all of which TUF provides.

Infos

FinFisher: http://en.wikipedia.org/wiki/FinFisher
OpenSSL website compromised: http://www.openssl.org/news/secadv_hack.txt
TUF – The Update Framework: https://github.com/theupdateframework
Tor: https://www.torproject.org/
Survivable key compromise: http://freehaven.net/~arma/tuf-ccs2010.pdf
OpenGPG card: http://www.g10code.de/p-card.html
PEP 458: http://www.python.org/dev/peps/pep-0458/
TUF interface for RubyGems: http://rubyforge.org/pipermail/rubygems-developers/2013-November/007044.html
Targeted Internet traffic misdirection: http://www.renesys.com/2013/11/mitm-internet-hijacking/
Further improving digital certificate security: http://googleonlinesecurity.blogspot.ca/2013/12/further-improving-digital-certificate.html

The Author

Kurt Seifried is an Information Security Consultant specializing in Linux and networks since 1996. He often wonders how it is that technology works on a large scale but often fails on a small scale.

« Previous 1 2 3 4 5 6 7

Buy this article as PDF

Express-Checkout as PDF

Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES

SUBSCRIPTIONS

Print Subs

Digisubs

TABLET & SMARTPHONE APPS

US / Canada

UK / Australia

Related content

Security Lessons: Modified Code Attacks

Learn how to protect yourself against malicious attacks by modified source code.

more »
Security Lessons: Signing Code

Kurt looks at the practice of code signing and examines why so few upstream open source projects actually do it.

more »
Security Lessons

Researchers set out to compromise MD5 in an effort to convince people to stop using it. We explain how the attack worked and what this means for you.

more »
Security Issue with FLAC Audio Codec

Loss free audio codecs are gaining in popularity with device manufacturers; right now, a vulnerability in the Free Lossless Audio Codec (FLAC) spoils users listening pleasure.

more »
Ubuntu Core 16

Canonical releases the minimal edition for embedded devices, Internet of Things, and cloud deployments.

more »

comments powered by Disqus

Visit Our Shop

Trial Subscription

Digital Subscription

Subscribe

Direct Download

Read full article as PDF:

Price $2.95

News

Trojan Turns Raspberry Pi into a Cryptocurrency Mining Device

Two trojans in the wild are targeting Linux machines.
Fedora 26 Beta Comes with New Features

The workstation comes with the latest Gnome desktop environment and support for many application build systems.
Raspberry Pi Foundation Merges with CoderDojo Foundation

The two foundations join forces to expand their efforts to reach young people.
Samba Security Hole Patched but Risk is Bigger

Millions of devices that use Samba Server are vulnerable to attacks.
Red Hat Announces OpenShift.io

Red Hat takes its IDE online.
Microsoft Bakes Linux into Windows Server

Microsoft is slowly becoming a Linux vendor.
Fearless Coyote, Linux Kernel 4.11 is Out

The new kernel makes swap implementation more scalable, which will help cloud providers.
Docker Appoints Steve Singh CEO

The new CEO comes from a very strong SaaS background.
Docker Announces Linux Kit and Moby Project

Both projects help organizations build their own containerized systems.
Ubuntu Returns to Gnome as Its Mobile Plans Shatter

Mark Shuttleworth has resumed the position of CEO of Canonical.