Re: [freenet-support] No SHA1 or MD5 hashes for the installer?
On Wednesday 05 January 2011 19:49:36 Fabio Spelta wrote: > > > > Which means that if somebody is attacking you he will substitute both the > > signature file and my key when you download it. So you gain very little, > > unless you have some other trust path. > > > > > Well, they should also hijack the connection with the keyserver site. While > being the man in the middle in a HTTP connection (thus, the one used to > download the freenet binaries) can be easy, hijacking a SSL/TLS protected > one is hard. > Oh, the HKP protocol used to transfer keys is cleartext too, being it over > HTTP. > Well. Please come to my house, show me your documents and the fingerprint of > your public key. > > Please. > > :) > > Oh, and come again after 2015. ;) > > > > Trust is hard. Even if you pay money to "solve" the problem, there are lots > > of cases of problems with paid for certs. > > > > > Yup, some. But you will agree that the problematic scenarios with signed > X509 certs are scarce and almost insignificant if compared to > web-of-trust-based ones. > > By the way, how much would it cost "you" (I mean, to the community) a > certificate that would last, let's say, for three years? Just curious, if > you ever checked. Actually I think the free/ dirt cheap ssl cert provider we use is accepted for code signing in some cases. It's on the todo list. signature.asc Description: This is a digitally signed message part. ___ Support mailing list [email protected] http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:[email protected]?subject=unsubscribe
Re: [freenet-support] No SHA1 or MD5 hashes for the installer?
On Wednesday 05 January 2011 19:49:36 Fabio Spelta wrote: > > > > Which means that if somebody is attacking you he will substitute both the > > signature file and my key when you download it. So you gain very little, > > unless you have some other trust path. > > > > > Well, they should also hijack the connection with the keyserver site. While > being the man in the middle in a HTTP connection (thus, the one used to > download the freenet binaries) can be easy, hijacking a SSL/TLS protected > one is hard. > Oh, the HKP protocol used to transfer keys is cleartext too, being it over > HTTP. > Well. Please come to my house, show me your documents and the fingerprint of > your public key. > > Please. > > :) > > Oh, and come again after 2015. ;) > > > > Trust is hard. Even if you pay money to "solve" the problem, there are lots > > of cases of problems with paid for certs. > > > > > Yup, some. But you will agree that the problematic scenarios with signed > X509 certs are scarce and almost insignificant if compared to > web-of-trust-based ones. > > By the way, how much would it cost "you" (I mean, to the community) a > certificate that would last, let's say, for three years? Just curious, if > you ever checked. Enough money that we haven't done it yet. signature.asc Description: This is a digitally signed message part. ___ Support mailing list [email protected] http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:[email protected]?subject=unsubscribe
Re: [freenet-support] No SHA1 or MD5 hashes for the installer?
> > Which means that if somebody is attacking you he will substitute both the > signature file and my key when you download it. So you gain very little, > unless you have some other trust path. > > Well, they should also hijack the connection with the keyserver site. While being the man in the middle in a HTTP connection (thus, the one used to download the freenet binaries) can be easy, hijacking a SSL/TLS protected one is hard. Oh, the HKP protocol used to transfer keys is cleartext too, being it over HTTP. Well. Please come to my house, show me your documents and the fingerprint of your public key. Please. :) Oh, and come again after 2015. ;) > Trust is hard. Even if you pay money to "solve" the problem, there are lots > of cases of problems with paid for certs. > > Yup, some. But you will agree that the problematic scenarios with signed X509 certs are scarce and almost insignificant if compared to web-of-trust-based ones. By the way, how much would it cost "you" (I mean, to the community) a certificate that would last, let's say, for three years? Just curious, if you ever checked. Cheers! -- Fabio ___ Support mailing list [email protected] http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:[email protected]?subject=unsubscribe
Re: [freenet-support] No SHA1 or MD5 hashes for the installer?
On Tuesday 04 January 2011 16:56:14 Fabio Spelta wrote: > > > > > > Am I doing something wrong? > > > You have to install the signer's public key. > > I strongly agree, this should be documented step by step because it's very > important. > To get mr. Toseland's latest key run this: > > gpg --recv-keys 75941D88 > > Then you will have the chance to verify the signature. > > Some explanation: to verify a "real" (read: pen) signature you have to know > how the original signature looks like. > With public key cryptography things works in a different (and unusual) way, > but still; you have to know the public key of the signer to check that the > signature is valid. Which means that if somebody is attacking you he will substitute both the signature file and my key when you download it. So you gain very little, unless you have some other trust path. Trust is hard. Even if you pay money to "solve" the problem, there are lots of cases of problems with paid for certs. This is why we don't really emphasise it. People who care will know what to do. > > I found his public key searching for his name in the pgp.mit.edu keyserver: > http://pgp.mit.edu:11371/pks/lookup?search=matthew+toseland&op=index Or just use the key I sign my emails with. If you've been subscribed for a long time and I've always used the same key it's unlikely somebody has MITMed you. > > The email used is the one he uses to participate in this mailing list ( > [email protected]) and the comment says "2010-2015 key". So, I > thought, "it must be that one", and it is. (Yes, key can and in some cases > should expire). Right. > > So. With that command you can download and import his key from a server with > the GPG utility. Then you can verify the signature. > GPG will tell you that the signature is valid, but will still warn you; > since the trust you put into the key is upon you. I mean: who's assuring > that the key you got is REALLY mister Toseland's? > > But, as he said, you can't have a guarantee of that unless you use a costy > X.509 certificate. So there's no escape. Still, checking a signature made > with a self signed key is by far more secure that not doing any verify at > all. signature.asc Description: This is a digitally signed message part. ___ Support mailing list [email protected] http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:[email protected]?subject=unsubscribe
Re: [freenet-support] No SHA1 or MD5 hashes for the installer?
On Tuesday 04 January 2011 16:22:20 Daxter wrote: > On Jan 1, 2011, at 11:57 AM, Matthew Toseland wrote: > > On Saturday 01 January 2011 17:51:41 Fabio Spelta wrote: > >> > >> Glad to know it. Where are they published? > >> I'd suggest you to publish the instructions and the links to do so right > >> into the install instructions. > > > > We do, but it's not very prominent because most users don't use it. Reread > > the download page. > > You can say that again! It's only ever mentioned in the Linux download > instructions. There's no reference to it for Mac or Windows. Linux users are assumed to be geeks. Mac and Windows users are not. :) Ideally the Windows installer would be signed code. In fact ideally they'd all be signed - jar's can be signed too. But we'd have to buy a cert ... > The worst part about the current setup is that even if a person that's > running Windows or Mac reads the instructions word-for-word they still will > have no idea that there is anything available to ensure that the file they > want to download isn't molested. How can we expect newbies to take security > precautions when the methods aren't well-explained, and sometimes aren't > explained at all? They're using Windows. They're not geeks, they don't care about or know about such issues. Is that hopelessly patronising, or is it realistic? > > I tried it out using GnuPG (for Mac) to verify the offline installer .jar > file, but I received an error: > "Can't check signature: public key not found" So download my key, the one used to sign this email. > > The command I typed was -> gpg --verify [installer] [.sig] > > Am I doing something wrong? signature.asc Description: This is a digitally signed message part. ___ Support mailing list [email protected] http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:[email protected]?subject=unsubscribe
Re: [freenet-support] No SHA1 or MD5 hashes for the installer?
On Saturday 01 January 2011 19:08:05 Fabio Spelta wrote: > > > > > > We do, but it's not very prominent because most users don't use it. Reread > > the download page. > > I would rather suggest you to put that directly into the install > instructions here. > > http://freenetproject.org/install.html I didn't think anyone used that. Where did you get to it from? signature.asc Description: This is a digitally signed message part. ___ Support mailing list [email protected] http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:[email protected]?subject=unsubscribe
Re: [freenet-support] No SHA1 or MD5 hashes for the installer?
> > > Am I doing something wrong? You have to install the signer's public key. I strongly agree, this should be documented step by step because it's very important. To get mr. Toseland's latest key run this: gpg --recv-keys 75941D88 Then you will have the chance to verify the signature. Some explanation: to verify a "real" (read: pen) signature you have to know how the original signature looks like. With public key cryptography things works in a different (and unusual) way, but still; you have to know the public key of the signer to check that the signature is valid. I found his public key searching for his name in the pgp.mit.edu keyserver: http://pgp.mit.edu:11371/pks/lookup?search=matthew+toseland&op=index The email used is the one he uses to participate in this mailing list ( [email protected]) and the comment says "2010-2015 key". So, I thought, "it must be that one", and it is. (Yes, key can and in some cases should expire). So. With that command you can download and import his key from a server with the GPG utility. Then you can verify the signature. GPG will tell you that the signature is valid, but will still warn you; since the trust you put into the key is upon you. I mean: who's assuring that the key you got is REALLY mister Toseland's? But, as he said, you can't have a guarantee of that unless you use a costy X.509 certificate. So there's no escape. Still, checking a signature made with a self signed key is by far more secure that not doing any verify at all. Cheers, -- Fabio ___ Support mailing list [email protected] http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:[email protected]?subject=unsubscribe
Re: [freenet-support] No SHA1 or MD5 hashes for the installer?
On Jan 1, 2011, at 11:57 AM, Matthew Toseland wrote: > On Saturday 01 January 2011 17:51:41 Fabio Spelta wrote: >> >> Glad to know it. Where are they published? >> I'd suggest you to publish the instructions and the links to do so right >> into the install instructions. > > We do, but it's not very prominent because most users don't use it. Reread > the download page. You can say that again! It's only ever mentioned in the Linux download instructions. There's no reference to it for Mac or Windows. The worst part about the current setup is that even if a person that's running Windows or Mac reads the instructions word-for-word they still will have no idea that there is anything available to ensure that the file they want to download isn't molested. How can we expect newbies to take security precautions when the methods aren't well-explained, and sometimes aren't explained at all? I tried it out using GnuPG (for Mac) to verify the offline installer .jar file, but I received an error: "Can't check signature: public key not found" The command I typed was -> gpg --verify [installer] [.sig] Am I doing something wrong? ___ Support mailing list [email protected] http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:[email protected]?subject=unsubscribe
Re: [freenet-support] No SHA1 or MD5 hashes for the installer?
> > > We do, but it's not very prominent because most users don't use it. Reread > the download page. > I would rather suggest you to put that directly into the install instructions here. http://freenetproject.org/install.html My two cents. Again, best wishes and many thanks -- Fabio ___ Support mailing list [email protected] http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:[email protected]?subject=unsubscribe
Re: [freenet-support] No SHA1 or MD5 hashes for the installer?
On Saturday 01 January 2011 17:51:41 Fabio Spelta wrote: > > > > > > You don't. Trust requires money (to buy a cert). Only rich people have > > money. Rich people can't be trusted. Therefore nobody can be trusted. ;) > > > > :) > > > > Seriously, you can, and should, check the GPG signature. > > > > Glad to know it. Where are they published? > I'd suggest you to publish the instructions and the links to do so right > into the install instructions. We do, but it's not very prominent because most users don't use it. Reread the download page. signature.asc Description: This is a digitally signed message part. ___ Support mailing list [email protected] http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:[email protected]?subject=unsubscribe
Re: [freenet-support] No SHA1 or MD5 hashes for the installer?
> > > You don't. Trust requires money (to buy a cert). Only rich people have > money. Rich people can't be trusted. Therefore nobody can be trusted. ;) > :) > Seriously, you can, and should, check the GPG signature. > Glad to know it. Where are they published? I'd suggest you to publish the instructions and the links to do so right into the install instructions. I wish you and to everybody a happy new year. Thank you so much, -- Fabio ___ Support mailing list [email protected] http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:[email protected]?subject=unsubscribe
Re: [freenet-support] No SHA1 or MD5 hashes for the installer?
On Thursday 30 December 2010 23:46:48 Fabio Spelta wrote: > Hello all. > > I tried to install Freenet running the Java WebStart tool. It asked me if I > wanted to continue with the installation after presenting me the X.509 > certificate of Matthew Toseland whose fingerprint > is 85:D7:BE:A3:A7:78:62:D2:0C:48:DF:5A:07:94:8E:72 > > I couldn't find any reference to that fingerprint on the web. > > Then I tried the offline install as suggested as the second option, > downloading this file > http://freenet.googlecode.com/files/new_installer_offline_1314.jar > > Still: I couldn't find on the web it's hashes, neither the md5 nor the sha1 > one. > > How can I trust the Freenet file I am bout to install then? How can I know > that nobody hijacked my connection passing me a wrong file? You don't. Trust requires money (to buy a cert). Only rich people have money. Rich people can't be trusted. Therefore nobody can be trusted. ;) Seriously, you can, and should, check the GPG signature. > > That's a paranoid behavior, maybe, but what's Freenet about after all? If I > don't trust the web, then I just... don't. > > Thanks for any answer and thank you so much for your work! signature.asc Description: This is a digitally signed message part. ___ Support mailing list [email protected] http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:[email protected]?subject=unsubscribe
