TUF Love » Linux Magazine

Software updates and TUF

Conclusion

You can no longer assume downloading unsigned software is safe. Between programs like FinFisher and the verified incidents of widespread BGP route hacking, it is best to assume that even if you are not targeted by attackers, you might get caught up in a widespread attack. Relying on HTTPS isn't a safe bet anymore, because certificate authorities can issue fake certificates to government departments so that they can intercept SSL communications. What is needed is end-to-end signing of the data, as well as signed metadata – all of which TUF provides.

Infos

FinFisher: http://en.wikipedia.org/wiki/FinFisher
OpenSSL website compromised: http://www.openssl.org/news/secadv_hack.txt
TUF – The Update Framework: https://github.com/theupdateframework
Tor: https://www.torproject.org/
Survivable key compromise: http://freehaven.net/~arma/tuf-ccs2010.pdf
OpenGPG card: http://www.g10code.de/p-card.html
PEP 458: http://www.python.org/dev/peps/pep-0458/
TUF interface for RubyGems: http://rubyforge.org/pipermail/rubygems-developers/2013-November/007044.html
Targeted Internet traffic misdirection: http://www.renesys.com/2013/11/mitm-internet-hijacking/
Further improving digital certificate security: http://googleonlinesecurity.blogspot.ca/2013/12/further-improving-digital-certificate.html

The Author

Kurt Seifried is an Information Security Consultant specializing in Linux and networks since 1996. He often wonders how it is that technology works on a large scale but often fails on a small scale.

« Previous 1 2 3 4 5 6 7