Verifying install files (Zotero)
- Anmelden oder Registrieren um Kommentare zu schreiben
I wish to install Zotero (a powerful reference manager which is frees software). Unfortunately Zotero is not in Trisquel's repository (I wonder why not?). Hence one has to download the install file from the zotero.org. They don't provide checksums or other means for verification. On the Zotero forum, dstillman, who is an administrator at the zotero site, wrote:
Checksums are useful if you're downloading software via HTTP or from an untrusted mirror. If you're downloading from a trusted site via HTTPS, there's not really much benefit — if someone could modify the binaries (or, in the case of a PKI failure, serve you a different binary), there's a good chance they could modify the hashes too. While those would be in separate locations with separate access permissions, you basically have to trust us to protect our own infrastructure either way, since anything we could set up to post hashes to the website at build time we can do ourselves to monitor changes without people needing to verify hashes manually. Needless to say, we keep access to the deployment pipeline extremely locked down and monitor all changes.
And the same goes for updates, which Zotero downloads via HTTPS from zotero.org subdomains.
(On macOS and Windows the executables are also signed, but Linux doesn't support that, and in any case it doesn't provide much additional security as long as you know you're getting the file from zotero.org.)
If dstillman is right, does it mean that checksum'ing files has no meaning? And is he right?
He's not right in terms of his company hosting the download infrastructure being any kind of assurance of security. Not too many years ago an extremely popular Windows utility called CCleaner had its download servers hacked, and it was serving up pure malware as "CCleaner updates" to some of the largest corporations in the world.
In that scenario, the attacker would modify the hashes as well, dstillman's point. Publishing the hashes would however allow somebody to get the binary from a redistributor (for instance from a friend with a pendrive) and still be able to check if it was tampered.
In most cases I only install software from the Trisquel repo but for instance for Trisquel itself, replicant images etc I download the install files and verify them with shasum and gpg. I thought tha such verification is (or can be) crucial to security - but perhaps it is not as useful as I thought?
It's not helpful when the attacker can both add their own malicious version and also alter the posted checksums so that they match.
A better option is probably things like GPG signatures. Assuming that you trust the key (which is a whole different topic with assorted issues) then you can verify that a given file was signed with a given key.
It's not helpful when the attacker can both add their own malicious version and also alter the posted checksums so that they match.
How likely are we to fall victims of such an offence?
Who knows. Didn't it happen with GNU/Linux Mint? https://blog.linuxmint.com/?p=2994
Don't forget that kernel.org was also compromised. If someone cracks a server to replace the downloadable programs they could also replace the checksums if they live in the same place. The attacker already has access to do the first and, if the checksums live on the same server in the same place, it would not be hard to take the additional step to change them to match.
For an example: I crack kernel.org, upload my own malicious version instead, and then replace this file so that it shows the stuff for my modified version:
https://cdn.kernel.org/pub/linux/kernel/v5.x/sha256sums.asc
Now, that won't work for kernel.org because that message is also GPG-signed. People should not just rely on what it says but should also check the signature to make sure that I haven't done what I just described. My altering the message would invalidate the GPG signature and the tampering would only then be detected.
The same for the kernel source code: Check the GPG signature.
So; all that checksums give you is that the file was downloaded without some accidental corruption; it does not tell you that it's the same file that was originally uploaded. For that you need something else like the GPG signatures I mentioned earlier.
It's probably also worth mentioning that checking GPG signatures is also what the package manager does when you install programs from the Trisquel repo.
Wasn't there also a case with Linux Mint?
- Anmelden oder Registrieren um Kommentare zu schreiben