[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#5639) Digital (PGP-)signature for downloadable sources
On Aug 4, 2008, at 9:56 PM, h.b.furuseth@usit.uio.no wrote:
> Kurt@OpenLDAP.org writes:
>> On Aug 4, 2008, at 2:06 PM, h.b.furuseth@usit.uio.no wrote:
>>> Kurt@OpenLDAP.org writes:
>>>> I note as well that properly deploying release signing requires
>>>> more than script modification. For instance, one does need to
>>>> consider that the host to sign the releases might itself been
>>>> taken over and the implications of such a takeover.
>>>
>>> For that part, signatures in the 'https:' site would help.
>>
>> I think you need to re-think that assertion.
>
> Er, yes, I was thinking of the "outside" equivalent, hacking DNS and
> "taking over" that way.
Those mounting such attacks are more likely to take over google.com
than openldap.org.
> I have the impression that's the most common way to "take over" a
> site, but I may be wrong.
I would say it's a more commonly talked about "take over" approach at
present. Though I don't know if its more common that other major site
"take over" approaches. But "take over" of small sites, such are
openldap.org, are different because the goal is different. Folks
"take over" major sites (generally in an isolated way, such as via a
particular ISP) because there is a reasonable chance that users will
access the taken over site. These take overs often are attempts to
install malware on user systems (be careful, that google search button
might not be a true google search button).
Take over of small sites is commonly done to deface the site, to gain
notoriety or to grind an axe or something.
So, I'm not particularly worried about former, but am worried about
the latter.
But you and others brought up https:// in the context of a PGP signing
discussion. This is, I think, confused.
-- Kurt