I suspect we all read your concerns, but I have a problem understanding how
that translates into defining a true vulnerability and the resultant level of
severity.
Assuming someone goes to all the trouble of figuring out what the hard coded
public key embedded in ClamAV is, signs a fake .cvd
My comments were mainly concerning CVD *validation*, not HTTPS.
Debian updates (for example) are delivered via plain HTTP, but they are
validated using standard GPG tools. Firefox (ESR) updates are handled
similarly (up to SHA512 hash, validated using GPG). I have more
confidence in standard GPG
As Micah said, when we roll out the new version of freshclam that supports
https, this will be a done deal. Technically, https on the cdn is available
now. Freshclam just doesn’t know how to use it. We want people to freshclam.
As the way it functions does so in a way that reduces load on
Looking at the PiperMail thread about how ClamAV verifies CVD
signatures, I see two things that concern me.
First, it says it uses "an implementation of RSA inspired by
http://www.erikyyy.de/yyyRSA/;. How well has this implementation been
vetted? I'm not a crypto expert (by any means), but people
Arnaud Jacques wrote:
The .cvd files have an internal cryptographic signature that's
checked by freshclam and clamd/clamscan. If freshclam and/or clamd
accepts the files, you can be assured they are official and
unmodified. This is built into clam; no external tools are called.
Thanks, this is
On 2019-03-15 09:53, Franky Van Liedekerke via clamav-users wrote:
I wonder why the http/https discussion is still relevant. Almost all sites use
https now, http is getting slowly banned and a lot of companies just don't want
to allow incoming http traffic towards a server. Certifcates cost
I had this question a while back, and this is what I was able to track down:
The files are not signed via any PKI trusted by your system, but rather by a
specific RSA key that is trusted by the code itself. If you look in
libclamav/dsig.c, there is an implementation of RSA inspired by
Em 15/03/2019 14:39, G.W. Haywood via clamav-users escreveu:
Hi there,
On Fri, 15 Mar 2019, Franky Van Liedekerkewrote:
Certifcates cost nothing ...
CPU cycles don't.
developers time do cost their ... time, basically. How about
contributing with the code instead of blaming ? That
Hi there,
On Fri, 15 Mar 2019, Franky Van Liedekerkewrote:
Certifcates cost nothing ...
CPU cycles don't.
--
73,
Ged.
___
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us
For what it's worth, one of the tasks we're working on for 0.102 is https
support for freshclam.
It's more than just adding an "s" to the URL. The plan is to make libcurl a
hard requirement for ClamAV, which will also mean including libcurl on Windows.
Then we'll have to rewrite the
Op Vrijdag, 15-03-2019 om 16:04 schreef instaham--- via clamav-users:
> Leonardo Rodrigues wrote:
> > the databases are digitally signed, and any modification, such in
> > a man-in-the-middle attack, would break the signature and freshclam
> > would refuse to run the files.
>
> Sounds good.
Hello,
Le 15/03/2019 à 16:04, instaham--- via clamav-users a écrit :
Leonardo Rodrigues wrote:
the databases are digitally signed, and any modification, such in
a man-in-the-middle attack, would break the signature and freshclam
would refuse to run the files.
Sounds good. Can you please
Leonardo Rodrigues wrote:
the databases are digitally signed, and any modification, such in
a man-in-the-middle attack, would break the signature and freshclam
would refuse to run the files.
Sounds good. Can you please explain how this works in detail?
Apt places GPG keys in the system
Hello,
You can read this thread and make your own opinion :
https://lists.clamav.net/pipermail/clamav-users/2014-December/001129.html
Le 14/03/2019 à 19:26, instaham--- via clamav-users a écrit :
Hi everybody,
I assume that when I run "freshclam", the virus database is updated
over an
Em 14/03/2019 15:26, instaham--- via clamav-users escreveu:
Hi everybody,
Or is some kind of verification of the data happening in the
background (such as apt in Debian is using GPG)?
the databases are digitally signed, and any modification, such in a
man-in-the-middle attack, would
15 matches
Mail list logo