we may need digital signatures for wxWidgets downloads
83 views
Skip to first unread message
Michael Anders
Nov 26, 2013, 3:49:26 AM11/26/13
to wx-di...@googlegroups.com
Hi there,
I am using wxWidgets for multiplatform development of the elliptic curve cryptography tool "Academic Signature".
(->find Academic Signature e.g. via google > open source elliptic curve cryptography <
or directly here: http://www.fh-wedel.de/~an/crypto/Acade ... e_eng.html)
Since the summer of Snowden, we know that at least US-intelligence and probably UK, russian, chinese, whatever as well are able and willing to intercept internet traffic and redirect it to plant backdoors. See what they did to TOR/firefox and how they took advanteage of a race condition here:
http://www.theguardian.com/world/2013/o ... -anonymity
In developing security software, I always have to look for the weakest link. Presently the weakest link in my case is the lack of any protection of the wxWidgets downloads en route to me(or other users if they do not use my statical link of wxWidgets). I understand your server is situated in the UK, so even if I download via TOR, the exit node communicates with your server is in the plain. GCHQ could manipulate the traffic and give me crab lice. They do this kind of thing and even seem to be proud of it! Google "royal concierge".
I would greatly appreciate it, if at least the source archives were protected by a digital signature of the developer in charge of the releases. In this way the notorious agencies would at least have to introduce a mole into the wxWidgets team. Without signatures that they get the chance to circulate backdoored versions almost for free. In fact they are able to compromise any system that uses wxWidgets supported programs.
If I were working for the NSA and were to attack Linux users, wxWidgets would be one of my primte targets. I cannot imagine any Linux not using any wxWidgats based tool. And I would get a free ride for additional backdoors in Windows and Apple os. The wxWidgets team should be aware of being a very attractive target for these people.
So please think of authenticating your downloads e.g with GnuPG (you might also use a more modern authentication scheme using Academic Signature of course :-).
regards
Michael Anders
I am using wxWidgets for multiplatform development of the elliptic curve cryptography tool "Academic Signature".
(->find Academic Signature e.g. via google > open source elliptic curve cryptography <
or directly here: http://www.fh-wedel.de/~an/crypto/Acade ... e_eng.html)
Since the summer of Snowden, we know that at least US-intelligence and probably UK, russian, chinese, whatever as well are able and willing to intercept internet traffic and redirect it to plant backdoors. See what they did to TOR/firefox and how they took advanteage of a race condition here:
http://www.theguardian.com/world/2013/o ... -anonymity
In developing security software, I always have to look for the weakest link. Presently the weakest link in my case is the lack of any protection of the wxWidgets downloads en route to me(or other users if they do not use my statical link of wxWidgets). I understand your server is situated in the UK, so even if I download via TOR, the exit node communicates with your server is in the plain. GCHQ could manipulate the traffic and give me crab lice. They do this kind of thing and even seem to be proud of it! Google "royal concierge".
I would greatly appreciate it, if at least the source archives were protected by a digital signature of the developer in charge of the releases. In this way the notorious agencies would at least have to introduce a mole into the wxWidgets team. Without signatures that they get the chance to circulate backdoored versions almost for free. In fact they are able to compromise any system that uses wxWidgets supported programs.
If I were working for the NSA and were to attack Linux users, wxWidgets would be one of my primte targets. I cannot imagine any Linux not using any wxWidgats based tool. And I would get a free ride for additional backdoors in Windows and Apple os. The wxWidgets team should be aware of being a very attractive target for these people.
So please think of authenticating your downloads e.g with GnuPG (you might also use a more modern authentication scheme using Academic Signature of course :-).
regards
Michael Anders
Vadim Zeitlin
Nov 27, 2013, 11:09:48 AM11/27/13
to wx-di...@googlegroups.com
On Tue, 26 Nov 2013 00:49:26 -0800 (PST) Michael Anders wrote:
MA> I would greatly appreciate it, if at least the source archives were
MA> protected by a digital signature of the developer in charge of the
MA> releases.
...
MA> So please think of authenticating your downloads e.g with GnuPG
Hello,
We could do this in the future but right now we already have SHA-1
checksums for them which means that anybody willing to tamper with the
downloads would need to compromise one of the SF accounts having
administrative rights to the project. This is not impossible, of course,
but it's not trivial neither.
Regards,
VZ
MA> I would greatly appreciate it, if at least the source archives were
MA> protected by a digital signature of the developer in charge of the
MA> releases.
...
MA> So please think of authenticating your downloads e.g with GnuPG
Hello,
We could do this in the future but right now we already have SHA-1
checksums for them which means that anybody willing to tamper with the
downloads would need to compromise one of the SF accounts having
administrative rights to the project. This is not impossible, of course,
but it's not trivial neither.
Regards,
VZ
Bryan Petty
Nov 26, 2013, 12:17:04 PM11/26/13
to wxWidgets Discuss
For any concerned, wxWidgets has actually published the SHA1 checksums
of all 3.0 package downloads to SVN (where HTTPS SSL certificates can
be verified btw):
https://svn.wxwidgets.org/svn/wx/wxWidgets/trunk/docs/release_files.mdwn
You can currently verify your downloads against these with confidence.
Also see the checksums for the binary release packages:
https://svn.wxwidgets.org/svn/wx/wxWidgets/trunk/docs/release_binaries.mdwn
Regards,
Bryan Petty
of all 3.0 package downloads to SVN (where HTTPS SSL certificates can
be verified btw):
https://svn.wxwidgets.org/svn/wx/wxWidgets/trunk/docs/release_files.mdwn
You can currently verify your downloads against these with confidence.
Also see the checksums for the binary release packages:
https://svn.wxwidgets.org/svn/wx/wxWidgets/trunk/docs/release_binaries.mdwn
Regards,
Bryan Petty
Reply all
Reply to author
Forward
0 new messages