Software updates and TUF

Conclusion

You can no longer assume downloading unsigned software is safe. Between programs like FinFisher and the verified incidents of widespread BGP route hacking, it is best to assume that even if you are not targeted by attackers, you might get caught up in a widespread attack. Relying on HTTPS isn't a safe bet anymore, because certificate authorities can issue fake certificates to government departments so that they can intercept SSL communications. What is needed is end-to-end signing of the data, as well as signed metadata – all of which TUF provides.

The Author

Kurt Seifried is an Information Security Consultant specializing in Linux and networks since 1996. He often wonders how it is that technology works on a large scale but often fails on a small scale.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus