Re: [Python-Dev] Hashes on same site as download?
On Oct 21, 2013, at 06:21 PM, Dan Stromberg wrote: I may be missing something, but it seems the Python tarballs and hashes are on the same host, and this is not an entirely good thing for security. All the tarballs are signed with the GPG keys of the release managers. The hashes are just a quick verification that your download succeeded. For extra confidence, check the signatures. Our keys should be independently verifiable. -Barry ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Hashes on same site as download?
On 22 October 2013 12:21, Dan Stromberg drsali...@gmail.com wrote: I may be missing something, but it seems the Python tarballs and hashes are on the same host, and this is not an entirely good thing for security. The way things are now, an attacker breaks into one host, doctors up a tarball, changes the hashes in the same host, and people download without noticing, even if they verify hashes. If you put the hashes on a different host from the tarballs, the attacker has to break into two machines. In this scenario, the hashes add more strength. I'm not a security expert, but I can't see how that gives any more security than the current system (I tried to find whatever article you're talking about, but failed). It doesn't matter if you provide downloads in one place and direct people to get the hashes from elsewhere. An attacker has no need to compromise the server where the hashes are stored - they only need to compromise the server that tells you where to get the downloads and hashes. Then the attacker can simply change the download page to direct you to the malicious downloads, hashes and keys (which they can place on the same server, so everything looks legit). Off the top of my head, one way that would give more security would be to store a hash of the download page itself elsewhere (preferably multiple places) and periodically compare that with the live version. Any changes to the live page would be noticed (eventually) unless the attacker also compromised all those other machines. Tim Delaney ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Hashes on same site as download?
On Mon, Oct 21, 2013 at 6:47 PM, Tim Delaney timothy.c.dela...@gmail.comwrote: On 22 October 2013 12:21, Dan Stromberg drsali...@gmail.com wrote: I may be missing something, but it seems the Python tarballs and hashes are on the same host, and this is not an entirely good thing for security. I was missing the gpg signing. That's probably more effective than md5 anyway - at least, I hope we're not using gpg with md5 :) Looking at the download pages in rapid-skim-mode, I saw the hashes and ignored the text describing the use of gpg. FWIW, I'm guessing a lot of people do that. The way things are now, an attacker breaks into one host, doctors up a tarball, changes the hashes in the same host, and people download without noticing, even if they verify hashes. If you put the hashes on a different host from the tarballs, the attacker has to break into two machines. In this scenario, the hashes add more strength. I'm not a security expert, but I can't see how that gives any more security than the current system (I tried to find whatever article you're talking about, but failed). It doesn't matter if you provide downloads in one place and direct people to get the hashes from elsewhere. An attacker has no need to compromise the server where the hashes are stored - they only need to compromise the server that tells you where to get the downloads and hashes. I don't see the original article anymore, but I believe it was in a Crypto-gram newsletter several years ago. The closest thing I found tonight was: http://en.wikipedia.org/wiki/MD5#Applications ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com