[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cryptoapi kernel-patch packages for debian

Thanks David, input is wonderful!

On Mon, Jul 08, 2002 at 12:56:29AM +0200, David Gümbel wrote:
> > example:
> >   http://jlcooke.ca/go?2.4.18/CA | less
> 
> Yes, I see :) 
> 
> But there are still some things that come to my mind as far as security is 
> concerned:
> 
> * Placing "KERNKEY=0x517D0F0E" inside the script downloaded from the web might
>   be a potential security risk as this could quite easily be transparently 
>   replaced by a different key id I have in my keyring (or that is available
>   via the keyserver)[1]. I think this might be avoided by reading the key ID
>   from a local file that has to be created by the user first (?)

go-gnome.com does something like this, so I'm not without precedent.  :)

I agree, an SSL (https vs http) URL fetch is preferred.  This has sent me down
a few interesting paths (jl's little secret for now).  Worse come to worse,
I'll buy a thwate cert for kerneli.org.

BTW, lynx and w3m both use libssl.so (openssl).  And openssl will disallow a
connection to an invalid host/cert pair, I don't think either are using this
feature...too bad.

The issue with GPG...well I have my own opinions about GPG with most people
will not like.  Can we assume if the SH script comes from a verified SSL tunnel,
that the contents can be trusted?

> * There is no check whether the key used for verification is trusted/has 
>   been signed by the user. 

If the user doesn't have the key yet, how can the user sign it for use?  Are
you suggesting we prompt the user?

> * The script is being piped directly from the web to a root shell. This looks
>   dangerous to me, even with SSL in use, as long as the SSL certificate
>   doesn't undergo verification. I currently can't find any option for
>   lynx or w3m that does this, but it's very possible I'm just blind.

Read above, re:verification of the SSL tunnel.

> And there's one thing I stumbled across when reading the code - maybe you 
> should start with a section like this:
> 
> TRUEBIN = `which true`
> W3MBIN = `which w3m`
> LYNXBIN = `which lynx`
> etc., just as you did with the gpg binary.

Sounds good.

-- 
http://www.certainkey.com
Suite 4560 CTTC
1125 Colonel By Dr.
Ottawa ON, K1S 5B6
C: 613.263.2983
-
Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/