http://arstechnica.com/security/2015/02/psa-your-crypto-apps-are-useless-unless-you-check-them-for-backdoors/
By Dan Goodin
Ars Technica
Feb 4, 2015
At the beginning of the year, I did something I've never done before: I
made a new year's resolution. From here on out, I pledged, I would install
only digitally signed software I could verify hadn't been tampered with by
someone sitting between me and the website that made it available for
download.
It seemed like a modest undertaking, but in practice, it has already cost
me a few hours of lost time. With practice, it's no longer the
productivity killer it was. Still, the experience left me smarting. In
some cases, the extra time I spent verifying signatures did little or
nothing to make me more secure. And too many times, the sites that took
the time to provide digital signatures gave little guidance on how to use
them. Even worse, in one case, subpar security practices of some software
providers undercut the protection that's supposed to be provided with
digitally signed code. And in one extreme case, I installed the Adium
instant messaging program with no assurance at all, effectively crossing
my fingers that it hadn't been maliciously modified by state-sponsored
spies or criminally motivated hackers. More about those deficiencies
later—let's begin first with an explanation of why digital signatures are
necessary and how to go about verifying them.
By now, most people are familiar with man-in-the-middle attacks. They're
waged by someone with the ability to monitor traffic passing between an
end user and a website—for instance, a hacker sniffing an unsecured Wi-Fi
connection or the National Security Agency sniffing the Internet backbone.
When the data isn't encrypted, the attacker can not only read private
communications but also replace legitimate software normally available for
download with maliciously modified software. If the attack is done
correctly, the end user will have no idea what's happening. Even when Web
connections are encrypted with the HTTPS standard, highly skilled hackers
still may be able to seed a website with malicious counterfeit downloads.
That's where digital signatures come in.
A prime candidate for such an attack is the OTR plugin for the Pidgin
instant messenger. It provides the means to encrypt messages so (1) they
can't be read by anyone monitoring the traffic sent between two parties
and (2) each party can know for sure that the person on the other end is,
in fact, who she claims to be. Fortunately, the OTR installer is provided
through an encrypted HTTPS connection, which goes a long way to thwarting
would-be man-in-the-middle attackers. But strict security practices
require more, especially for software as sensitive as OTR. That's why the
developers included a GPG signature users can check to verify that the
executable file hasn't been altered in any way.
[...]
--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/
