> Closing down *most* of these exposures is why the 'rpm' package manager > supports using PGP to sign the packages...
You *do* realize that digital signatures can be forged with theft of private keys, right? You *do* realize that Microsoft deployed a bunch of PKI code that accepts arbitrary certificate chains and allows any certificate, even an End Entity certificate, to be used as an intermediate CA certificate for the purpose of issuing new arbitrary certificates including those that are used to digitally sign code, right? You *do* realize that CAs made serious mistakes in the past, including issuing authentic certificates to unauthorized people (VeriSign) and issuing End Entity certificates without the End Entity bit present (Thawte, FreeSSL.com, others), right? You *do* realize that bugs may exist in rpm's client socket routines that would allow remote-exploitable buffer overflows to be mounted by a MITM, right? And surely you *must* realize that we can spend days making lists of known threats and *still* fail to identify *all* possible threats. No communication that crosses organizational boundaries should *ever* be automated. Least of all code updates. Jason Coombs [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Monday, August 04, 2003 8:43 AM To: martin scherer Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Microsoft win2003server phone home On Mon, 04 Aug 2003 13:15:26 +0200, martin scherer <[EMAIL PROTECTED]> said: > > 3. Could it be considered as a security risk to let a newly installed server, > > request information from an arbitrary server that I have no control over ? > security in the way that your server might end up getting exploited because > of it? > no, i dont think so.. > security in a way that you might get caught using an illegal copy of a > win2003 server? > yup. You *do* realize that windowsupdate.microsoft.com was hit by CodeRed, right? http://www.securityfocus.com/archive/1/198145/2001-07-17/2001-07-23/2 You *do* realize that Apple's 'Software Update' had issues with failing to use PKI to identify the download server, resulting in a possible MITM attack, right? http://www.securityfocus.com/archive/1/280964/2003-04-13/2003-04-19/2 You *do* realize that OpenSSH, Sendmail, tcpdump, and tcp_wrappers have *all* had trojan'ed distributions put on their *official* download site? http://www.cert.org/advisories/CA-2002-30.html http://www.cert.org/advisories/CA-2002-28.html http://www.cert.org/advisories/CA-2002-24.html http://www.cert.org/advisories/CA-1999-01.html Still don't think there's a security risk in downloading an unverified patch from a server not under your control? Closing down *most* of these exposures is why the 'rpm' package manager supports using PGP to sign the packages... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
