Secure boot – but what about secure distribution!

In open source, security on August 17, 2012 by oli4444

Chain of trust

There is a lot of talk about secure boot recently – mostly because of the windows 8 certification requirements. Secure boot gives makes it harder (but not impossible) for malware such as rootkits to start at boot time and then control the operating system. It creates a chain of trust from the hardware to the bootloader to the operating system, so criminals cannot break that chain.

However, if we want to protect open source software against criminals there is a different chain of trust that we need to protect: the chain from upstream developers to the end-user. There are quite a few bits and pieces in place already, but some essential parts are missing. In august 2009, for example, the web server from the squirrelmail webmail project was hacked, and two plugins were compromised with malware. It was lucky that the hack was discovered very quickly so little harm was done, but that could have been much worse.

Most open source projects use a version control system for their source code that involves some form of crypto authentication. Some very basic, like a login over ssh to a subversion or cvs server, other require every patch to be signed with a PGP key. Most distributions use some form of signing to protect the integrity of their packages. But the step from upstream development to the distribution is often not secured at all. Many upstream developers offer a md5 or sha1 sum of the downloads – but hey, once the criminals hack your webserver, they can change both the md5 and the tarball with the source code!

So what should we do?

If all upstream developers would sign their releases with PGP, and distributions should check if the source tarball is correctly signed, and signed with a trusted key, it would be much harder for criminals to interfere with this step. The level of trust could be very minimal (just check if the source tarball is signed with the same key as the previous time we downloaded the package) or very high (require a web of trust where keys have to signed after an official government issued ID has been checked such as Debian requires), just depending on the importance of the package.

Bluefish source tarballs have been PGP signed for a while already. Now it’s time for the distributions to automatically check these signatures when building a package.

2 Responses to “Secure boot – but what about secure distribution!”

  1. If you hack the server adding the GPG signature, it isn’t any more secure than a hash. The only thing you’re preventing with GPG is people hacking the various mirrors.

    • There should be no server that can add a GPG signature. Only the upstream maintainer has access to the (password protected) private key, so only the upstream maintainer can create the correct signature.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: