Software updates and TUF
Conclusion
You can no longer assume downloading unsigned software is safe. Between programs like FinFisher and the verified incidents of widespread BGP route hacking, it is best to assume that even if you are not targeted by attackers, you might get caught up in a widespread attack. Relying on HTTPS isn't a safe bet anymore, because certificate authorities can issue fake certificates to government departments so that they can intercept SSL communications. What is needed is end-to-end signing of the data, as well as signed metadata – all of which TUF provides.
Infos
- FinFisher: http://en.wikipedia.org/wiki/FinFisher
- OpenSSL website compromised: http://www.openssl.org/news/secadv_hack.txt
- TUF – The Update Framework: https://github.com/theupdateframework
- Tor: https://www.torproject.org/
- Survivable key compromise: http://freehaven.net/~arma/tuf-ccs2010.pdf
- OpenGPG card: http://www.g10code.de/p-card.html
- PEP 458: http://www.python.org/dev/peps/pep-0458/
- TUF interface for RubyGems: http://rubyforge.org/pipermail/rubygems-developers/2013-November/007044.html
- Targeted Internet traffic misdirection: http://www.renesys.com/2013/11/mitm-internet-hijacking/
- Further improving digital certificate security: http://googleonlinesecurity.blogspot.ca/2013/12/further-improving-digital-certificate.html
Buy this article as PDF
Express-Checkout as PDF
Price $2.95
(incl. VAT)
(incl. VAT)