Accueil » Forum » General Free Software Talk
Soumis par traxter le mar, 07/10/2018 - 23:59

ClamAV updates its database over unencrypted connection

5 réponses [Dernière contribution]
mar, 07/10/2018 - 23:59
traxter
traxter
Hors ligne
A rejoint: 03/23/2018

Hi all,

I hope someone with ClamAV experience and/or technical knowledge can help me with this.

I noticed that the mirror over which the ClamAV database is updated doesn't support https. It is an unencrypted http connection and there seem to be no mirrors supporting https.

I'm wondering if this isn't risky (possible data corruption, MITM attacks, etc.) - especially when it's something as sensitive as anti-virus software.

Is there some kind of verification happening in the background (e.g. like apt verifying downloaded packages with a GPG key)?

Or isn't there a reason to worry at all?

Haut
  • +1
    0
    -1
    Please use the rating system to mark posts that go against the Community Guidelines
mer, 07/11/2018 - 14:54
#1
jxself
jxself
Hors ligne
A rejoint: 09/13/2010

This is probably better for the ClamAV community: https://www.clamav.net/contact

Haut
  • +1
    0
    -1
    Please use the rating system to mark posts that go against the Community Guidelines
mar, 07/17/2018 - 20:43
#2
traxter
traxter
Hors ligne
A rejoint: 03/23/2018

Problem is that the site where I could subscribe for their mailing list doesn't support https either.

Direct contact with the developers seems to be limited to reporting malware, bugs, false positives and submitting signatures. Don't know if reporting it as a bug makes sense, it isn't really one...

Haut
  • +1
    0
    -1
    Please use the rating system to mark posts that go against the Community Guidelines
mar, 07/17/2018 - 07:35
#3
tonlee
tonlee
Hors ligne
A rejoint: 09/08/2014

https://en.wikipedia.org/wiki/Pretty_Good_Privacy

Do you know about the pgp encryption system? Public and private keys?
https://emailselfdefense.fsf.org/en/

If clamav's public keys got on the computer is a secure manner, it is not
important if later clamav data transfers are https encrypted.

Gpg4usb is a pgp encryption program which has a graphical
user interface.
gpg4usb.org

Haut
  • +1
    -1
    -1
    Please use the rating system to mark posts that go against the Community Guidelines
mar, 07/17/2018 - 21:07
#4
traxter
traxter
Hors ligne
A rejoint: 03/23/2018

> Do you know about the pgp encryption system? Public and private keys?

I have basic knowledge about it

> If clamav's public keys got on the computer is a secure manner, it is not
important if later clamav data transfers are https encrypted.

So if I download ClamAV over apt, is ClamAV's key then already included and later used to verify their database updates? If yes, I understand that a plain http connection isn't problematic.

But is this the case or do I have to import their key separately?

Haut
  • +1
    0
    -1
    Please use the rating system to mark posts that go against the Community Guidelines
mer, 07/18/2018 - 19:04
#5
tonlee
tonlee
Hors ligne
A rejoint: 09/08/2014

> So if I download ClamAV over apt, is ClamAV's key then already included and later used to verify their database updates?

I cannot tell you.

> Don't know if reporting it as a bug makes sense, it isn't really one

If there is no clamav documention on this question it is an error and
you should file an question to clamav.

Haut
  • +1
    0
    -1
    Please use the rating system to mark posts that go against the Community Guidelines