Re: [clamav-users] Database updated over unencrypted connection?

[instaham--- via clamav-users]

Leonardo Rodrigues wrote:

    the databases are digitally signed, and any modification, such in
a man-in-the-middle attack, would break the signature and freshclam
would refuse to run the files.


Sounds good. Can you please explain how this works in detail?

Apt places GPG keys in the system and uses them to verify downloaded 
data.


It doesn't seem that ClamAV placed any GPG keys in my system. So how is 
the verification happening?


Thanks

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Database updated over unencrypted connection?

[Arnaud Jacques]

Hello,

Le 15/03/2019 à 16:04, instaham--- via clamav-users a écrit :

Leonardo Rodrigues wrote:

    the databases are digitally signed, and any modification, such in
a man-in-the-middle attack, would break the signature and freshclam
would refuse to run the files.


Sounds good. Can you please explain how this works in detail?

Apt places GPG keys in the system and uses them to verify downloaded 
data.


It doesn't seem that ClamAV placed any GPG keys in my system. So how 
is the verification happening?


Read on 
https://lists.clamav.net/pipermail/clamav-users/2018-October/007053.html :


"

The .cvd files have an internal cryptographic signature that's
checked by freshclam and clamd/clamscan.  If freshclam and/or clamd
accepts the files, you can be assured they are official and
unmodified.  This is built into clam; no external tools are called.

"

Btw, it is working for official signatures. 3rd party signatures provide 
hash based checksum files.


--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.44.39.76.46
E-mail : a...@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom

Securiteinfo.com
La Sécurité Informatique - La Sécurité des Informations.
266, rue de Villers
60123 Bonneuil en Valois


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Database updated over unencrypted connection?

[Micah Snyder (micasnyd) via clamav-users]

For what it's worth, one of the tasks we're working on for 0.102 is https 
support for freshclam.  

It's more than just adding an "s" to the URL.  The plan is to make libcurl a 
hard requirement for ClamAV, which will also mean including libcurl on Windows. 
 Then we'll have to rewrite the freshclam code to use libcurl instead of doing 
the http 1.0 connections the hard way.  This should give us http 1.1 and 2.0 
support, as well has https support, and will make it possible to build 
clamsubmit for Windows.

No one is arguing with you because they don't want https support. However, as 
noted in previous conversations, we're comfortable with the security of 
plaintext/http connects because of how the databases are verified.  We do agree 
though, that https would be desirable.  

Micah


On 3/15/19, 11:54 AM, "clamav-users on behalf of Franky Van Liedekerke via 
clamav-users"  wrote:

Op Vrijdag, 15-03-2019 om 16:04 schreef instaham--- via clamav-users:
> Leonardo Rodrigues wrote:
> > the databases are digitally signed, and any modification, such in
> > a man-in-the-middle attack, would break the signature and freshclam
> > would refuse to run the files.
> 
> Sounds good. Can you please explain how this works in detail?
> 
> Apt places GPG keys in the system and uses them to verify downloaded 
> data.
> 
> It doesn't seem that ClamAV placed any GPG keys in my system. So how is 
> the verification happening?
> 

I wonder why the http/https discussion is still relevant. Almost all sites 
use https now, http is getting slowly banned and a lot of companies just don't 
want to allow incoming http traffic towards a server. Certifcates cost nothing 
anymore (you have free ones), so that's no longer an issue too. And the cpu 
issue might've been relevant years ago, but it shouldn't be now (offloading 
https to a high-performant frontend server can help if you really have issues).
Just my 2 cents here ...

Franky


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Database updated over unencrypted connection?

[Franky Van Liedekerke via clamav-users]

Op Vrijdag, 15-03-2019 om 16:04 schreef instaham--- via clamav-users:
> Leonardo Rodrigues wrote:
> >     the databases are digitally signed, and any modification, such in
> > a man-in-the-middle attack, would break the signature and freshclam
> > would refuse to run the files.
> 
> Sounds good. Can you please explain how this works in detail?
> 
> Apt places GPG keys in the system and uses them to verify downloaded 
> data.
> 
> It doesn't seem that ClamAV placed any GPG keys in my system. So how is 
> the verification happening?
> 

I wonder why the http/https discussion is still relevant. Almost all sites use 
https now, http is getting slowly banned and a lot of companies just don't want 
to allow incoming http traffic towards a server. Certifcates cost nothing 
anymore (you have free ones), so that's no longer an issue too. And the cpu 
issue might've been relevant years ago, but it shouldn't be now (offloading 
https to a high-performant frontend server can help if you really have issues).
Just my 2 cents here ...

Franky


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Database updated over unencrypted connection?

[Leonardo Rodrigues]

Em 15/03/2019 14:39, G.W. Haywood via clamav-users escreveu:

Hi there,

On Fri, 15 Mar 2019, Franky Van Liedekerkewrote:


Certifcates cost nothing ...


CPU cycles don't.



    developers time do cost their ... time, basically. How about 
contributing with the code instead of blaming ? That would be useful. 
Discussing about http x https, believing that http is always insecure, 
is useless.





--


Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br

Minha armadilha de SPAM, NÃO mandem email
gertru...@solutti.com.br
My SPAMTRAP, do not email it




___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Database updated over unencrypted connection?

[G.W. Haywood via clamav-users]

Hi there,

On Fri, 15 Mar 2019, Franky Van Liedekerkewrote:


Certifcates cost nothing ...


CPU cycles don't.

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Database updated over unencrypted connection?

[Luke Massa via clamav-users]

I had this question a while back, and this is what I was able to track down:

The files are not signed via any PKI trusted by your system, but rather by a 
specific RSA key that is trusted by the code itself. If you look in 
libclamav/dsig.c, there is an implementation of RSA inspired by 
http://www.erikyyy.de/yyyRSA/, and the public parameters of an RSA key are 
hard-coded in that file.

- Luke

On Mar 15, 2019, at 11:04 AM, instaham--- via clamav-users 
mailto:clamav-users@lists.clamav.net>> wrote:

Leonardo Rodrigues wrote:
the databases are digitally signed, and any modification, such in
a man-in-the-middle attack, would break the signature and freshclam
would refuse to run the files.

Sounds good. Can you please explain how this works in detail?

Apt places GPG keys in the system and uses them to verify downloaded data.

It doesn't seem that ClamAV placed any GPG keys in my system. So how is the 
verification happening?

Thanks

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.clamav.net_mailman_listinfo_clamav-2Dusers=DwIGaQ=9Hv6XPedRSA-5PSECC38X80c1h60_XWA4z1k_R1pROA=kBR20qCRpw_COsjokFR0DeDlBjL9wibcGzBBJtTubwc=Am934oxvGJUzY7zjAMr7LsAoh1QKFMW_pCV9H3D-XAY=32-aBf3kPc7KjmlElZ_x56PEUwoQoMgpezWIVZtdnHc=


Help us build a comprehensive ClamAV guide:
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_vrtadmin_clamav-2Dfaq=DwIGaQ=9Hv6XPedRSA-5PSECC38X80c1h60_XWA4z1k_R1pROA=kBR20qCRpw_COsjokFR0DeDlBjL9wibcGzBBJtTubwc=Am934oxvGJUzY7zjAMr7LsAoh1QKFMW_pCV9H3D-XAY=iFxlVSJ2ckNdLBVhTcgERy1eec3jp4yRZnbzcDlxDrE=

https://urldefense.proofpoint.com/v2/url?u=http-3A__www.clamav.net_contact.html-23ml=DwIGaQ=9Hv6XPedRSA-5PSECC38X80c1h60_XWA4z1k_R1pROA=kBR20qCRpw_COsjokFR0DeDlBjL9wibcGzBBJtTubwc=Am934oxvGJUzY7zjAMr7LsAoh1QKFMW_pCV9H3D-XAY=ncrTAyYChjf7wK4-1nqUY9gKjgolYUlQpjB0FKybCqw=


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml