Secure distribution
35 views
Skip to first unread message
MrElvey
Dec 7, 2010, 5:34:24 PM12/7/10
to Prey
I'd like to report that prey can't be downloaded securely.
For the paranoid, please serve the .dmg over HTTPS, or provide
Checksums (MD5 and/or SHA1) on a *secure* web page.
Given prey is for the paranoid, I'm surprised I can't find these
already.
MITM attacks are trivial given known DNS flaws, until this is
addressed, especially for users of public wireless networks.
There's a very good paper on the topic:
Insecurities within automatic update systems
by ing. P. Ruissen
ing. R. Vloothuis
Research project 2
MSc in System and Network Engineering
University of Amsterdam
Class of 2006-2007
For the paranoid, please serve the .dmg over HTTPS, or provide
Checksums (MD5 and/or SHA1) on a *secure* web page.
Given prey is for the paranoid, I'm surprised I can't find these
already.
MITM attacks are trivial given known DNS flaws, until this is
addressed, especially for users of public wireless networks.
There's a very good paper on the topic:
Insecurities within automatic update systems
by ing. P. Ruissen
ing. R. Vloothuis
Research project 2
MSc in System and Network Engineering
University of Amsterdam
Class of 2006-2007
Tomás Pollak
Dec 9, 2010, 9:15:59 AM12/9/10
to Prey
I haven't read the paper but I guess you're right. I've been thinking
of adding torrents as a method of distribution. Would that make you
feel more secure?
Tomás
MrElvey
Dec 20, 2010, 5:07:58 PM12/20/10
to Prey
On Dec 9, 6:15 am, Tomás Pollak <tomaspol...@gmail.com> wrote:
> I haven't read the paper but I guess you're right. I've been thinking
> of adding torrents as a method of distribution. Would that make you
> feel more secure?
You can find the paper I mentioned free online; ask google.
Apple has a relevant article here:
http://developer.apple.com/library/mac/#documentation/Security/Conceptual/CodeSigningGuide/AboutCS/AboutCS.html
Serving the .dmg over bitorrent is only about as secure as serving it
over HTTP; alone they provide poor security.
You could serve the .dmg over bitorrent or HTTP, but it would only be
secure if you provided
Checksums (MD5 and/or SHA1) securely, e.g.
* on a *secure* web page, (i.e. HTTPS, with a trusted cert) or
* in a PGP-signed or S/MIME-signed email, with trusted signatures.
I'm developing two complementary sites - one to facilitate secure
contribution of checksums by software authors, as well as maintenance
and secure publication thereof, and the other to publicize secure and
insecure software distribution and maintenance. Please contact me or
reply here if you'd like to be on board for the launch.
Drew Reece
Dec 21, 2010, 1:48:37 AM12/21/10
to prey-s...@googlegroups.com
Setting up https seems like a good idea, perhaps the built in autoupdate feature should only use the https url to reduce the risks of man in the middle attacks inserting their own code for an update.
MrElvey, check out prey/core/updater the updates are MD5'd, I guess it just isn't pointed out anywhere in the Prey docs & site. Using MD5 is no excuse for not using https too, it just adds another layer.
Drew
> --
> You received this message because you are subscribed to the Google Groups "Prey" group.
> To post to this group, send email to prey-s...@googlegroups.com.
> To unsubscribe from this group, send email to prey-securit...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/prey-security?hl=en.
>
Tomás Pollak
Dec 23, 2010, 3:47:21 PM12/23/10
to Prey
Hey guys,
Actually we do generate MD5's for everything we pack. The download
page lists the MD5 checksum for each package and the auto updater also
verifies the checksum of the zip file before attempting to patch.
Currently, auto updates are not served from our servers but from
Github's (cloud.github.com). Since they've now switched everything to
HTTPS I guess we should also take advantage of it and fetch the
packages using HTTPS. However:
$ wget https://cloud.github.com/downloads/tomas/prey/prey-updater-for-0.4.4.zip
--2010-12-23 17:38:11-- https://cloud.github.com/downloads/tomas/prey/prey-updater-for-0.4.4.zip
Resolving cloud.github.com... 216.137.33.87, 216.137.33.223,
216.137.33.17, ...
Connecting to cloud.github.com|216.137.33.87|:443... connected.
ERROR: certificate common name `*.cloudfront.net' doesn't match
requested host name `cloud.github.com'.
To connect to cloud.github.com insecurely, use `--no-check-
certificate'.
Tom
On Dec 21, 3:48 am, Drew Reece <dru...@gmail.com> wrote:
> Setting up https seems like a good idea, perhaps the built in autoupdate feature should only use the https url to reduce the risks of man in the middle attacks inserting their own code for an update.
Actually patches for updates are fetched from Github
(cloud.github.com) which supports SSL so there's
>
> MrElvey, check out prey/core/updater the updates are MD5'd, I guess it just isn't pointed out anywhere in the Prey docs & site. Using MD5 is no excuse for not using https too, it just adds another layer.
>
> Drew
> On 20 Dec 2010, at 22:07, MrElvey wrote:
>
>
>
>
>
> > On Dec 9, 6:15 am, Tomás Pollak <tomaspol...@gmail.com> wrote:
> >> I haven't read the paper but I guess you're right. I've been thinking
> >> of adding torrents as a method of distribution. Would that make you
> >> feel more secure?
>
> > Tomás,
>
> > You can find the paper I mentioned free online; ask google.
>
> > Apple has a relevant article here:
> >http://developer.apple.com/library/mac/#documentation/Security/Concep...
Actually we do generate MD5's for everything we pack. The download
page lists the MD5 checksum for each package and the auto updater also
verifies the checksum of the zip file before attempting to patch.
Currently, auto updates are not served from our servers but from
Github's (cloud.github.com). Since they've now switched everything to
HTTPS I guess we should also take advantage of it and fetch the
packages using HTTPS. However:
$ wget https://cloud.github.com/downloads/tomas/prey/prey-updater-for-0.4.4.zip
--2010-12-23 17:38:11-- https://cloud.github.com/downloads/tomas/prey/prey-updater-for-0.4.4.zip
Resolving cloud.github.com... 216.137.33.87, 216.137.33.223,
216.137.33.17, ...
Connecting to cloud.github.com|216.137.33.87|:443... connected.
ERROR: certificate common name `*.cloudfront.net' doesn't match
requested host name `cloud.github.com'.
To connect to cloud.github.com insecurely, use `--no-check-
certificate'.
Tom
On Dec 21, 3:48 am, Drew Reece <dru...@gmail.com> wrote:
> Setting up https seems like a good idea, perhaps the built in autoupdate feature should only use the https url to reduce the risks of man in the middle attacks inserting their own code for an update.
(cloud.github.com) which supports SSL so there's
>
> MrElvey, check out prey/core/updater the updates are MD5'd, I guess it just isn't pointed out anywhere in the Prey docs & site. Using MD5 is no excuse for not using https too, it just adds another layer.
>
> Drew
> On 20 Dec 2010, at 22:07, MrElvey wrote:
>
>
>
>
>
> > On Dec 9, 6:15 am, Tomás Pollak <tomaspol...@gmail.com> wrote:
> >> I haven't read the paper but I guess you're right. I've been thinking
> >> of adding torrents as a method of distribution. Would that make you
> >> feel more secure?
>
> > Tomás,
>
> > You can find the paper I mentioned free online; ask google.
>
> > Apple has a relevant article here:
Reply all
Reply to author
Forward
0 new messages