[Nix-dev] [yui at cock.li: Re: Malicious installation methods]

[zimbatm]

On Fri, 17 Jun 2016 at 16:18 Yui Hirasawa <yui at cock.li> wrote:

> > Assuming a MITM it's already game over here, the MITM doesn't even have
> to
> > control one of the CAs.
>
> No. If you are verifying the GPG signature it is not game over. It
> doesn't matter how you retrieve the signature and the signed file if you
> verify them, this is assuming that the crypto primitives aren't broken.
>

Unless I misunderstood something all you are verifying is that the attacker's
GPG signature matches the attacker's archive. This just gives you a false
sense of security.

> There is also an alternative verification method: `gpg --keyserver
> > keys.gnupg.net --recv-keys 3D9AEBB5`. Assuming a MITM, keys.gnupg.net is
> > accessed in clear. And generating a GPG key with the same key ID is
> > trivial. So game over again.
>
> This is true. Retrieving the key is not a trivial problem. This is why
> projects should start printing their fingerprint on all promotional
> material and on every website and on every talk they give. This way it
> is easier to verify that you have the right key. For example some people
> who give talks at defcon or CCC have their fingerprints on the first or
> last or in some cases every slide.
>

I agree. For GPG to be implemented properly, the key must be distributed
separately from the content. The goal is to make the attack more expensive
by forcing the attacker to compromise multiple communication channels. And
the key fingerprint must be in the long form to mitigate potential
collision attacks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160617/246c57a1/attachment.html>