-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

This is a sad mail to write, as it has come to our attention that CNET's
download service seems to have added some malware to the OpenVPN GUI
installer for Windows.

There are more issues here.  First of all, the 2.1_beta7 release which is
available on that site *should not* be used.  That version is very old,
and the latest release at the current point is version 2.2.1.

Then there is an issue with CNET wrapping the 2.1_beta7 release into
their own installer.  This "new" installer will install malware on your
computer.  It might even change your default home page, add toolbars to
Internet Explorer (which is claimed hard to get rid of), change your
search engine to Bing, and so on.  And this is something other open
source projects have noticed as well, such as NMAP and VLC.

If you see something like the following screenshots, don't trust the
installer!

<http://images.sjau.ch/img/26237c40.png>
<http://images.sjau.ch/img/a20598a6.png>

Another indication of a non-trustworthy installer is if the downloaded
file name starts with 'cnet'.

For more information, see this web site:
<http://insecure.org/news/download-com-fiasco.html>

And to be sure you get a proper installer, download it from:
<http://openvpn.net/index.php/open-source/downloads.html>

Here you may also download the GnuPG (PGP) signature of the installer
which should give a confirmation like this:

$ gpg --verify openvpn-2.2.1-install.exe.asc
gpg: Signature made Tue 05 Jul 2011 09:16:13 CEST using DSA key ID 1FBF51F3
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:  12  signed:   5  trust: 0-, 0q, 0n, 0m, 0f, 12u
gpg: depth: 1  valid:   5  signed:  33  trust: 5-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2012-02-02
gpg: Good signature from "James Yonan <j...@yonan.net>"

This requires that openvpn-2.2.1-install.exe is in the same directory as
openvpn-2.2.1-install.exe.asc.

There are probably similar ways how to verify signatures via PGP or GnuPG
in Windows as well.

Thanks goes to hyper_ch on #openvpn at FreeNode (IRC) for notifying us
about this issue.


kind regards,

David Sommerseth

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7fjBUACgkQDC186MBRfrp6zQCgkLktdBUJ7/zlovPCnDkt4pqv
1ngAn0KEZ8QRv3sZa7D1NOj8PFQ7B/8F
=nLpm
-----END PGP SIGNATURE-----

Reply via email to