| |||||||||||||
|
| |||||||||||||
WordPress 2.1.1 contained a trojan horseWordPress 2.1.1 contained a trojan horsePosted Mar 4, 2007 3:42 UTC (Sun) by miah (guest, #639)Parent article: WordPress 2.1.1 contained a trojan horse
This is why checksums should also be accompanied by a cryptographic signature.
(Log in to post comments)
WordPress 2.1.1 contained a trojan horse Posted Mar 4, 2007 11:34 UTC (Sun) by rickmoen (subscriber, #6943) [Link] "miah" wrote:This is why checksums should also be accompanied by a cryptographic signature. Exactly so. Note that the main download page doesn't even offer the md5sum, only a tarball or Zip archive. The separate archive page lets you get the md5sums, but you're given no means of verifying their validity; evidently, the developers aren't bothering to sign their releases. This is the reason why Web apps have been the low-hanging-fruit *ix intrusion vector of choice (aside from phishing and theft of security tokens on compromised hosts) over the last few years -- and why admins should be super-careful about anything they install from upstream tarballs. Rick Moen
WordPress 2.1.1 contained a trojan horse Posted Mar 4, 2007 18:18 UTC (Sun) by jwb (guest, #15467) [Link] I don't see how that helps. Do you have a secure out-of-band means to obtain the public key?
WordPress 2.1.1 contained a trojan horse Posted Mar 4, 2007 18:46 UTC (Sun) by intgr (subscriber, #39733) [Link] No, but changed public keys, or public key fingerprints, on web sites are more likely to be noticed, as a single developer would use the same public key in more than one place.
And if you have already acquired the developer's public key earlier, you can use that to verify subsequent releases, and you don't have to rely on trusting the web site for public key distribution. In addition to that, you can rely on other people who trust the given developer, through the web of trust.
In short, it doesn't solve world hunger, but it would help a lot.
WordPress 2.1.1 contained a trojan horse Posted Mar 4, 2007 21:09 UTC (Sun) by jeroen (subscriber, #12372) [Link] Yes, public PGP servers. Keys can be verified by means of keysigning parties. For example when I download a kernel from kernel.org this is signed with a PGP key. That key is signed by a lot of other people through which I can verify that the key is correct. You can see the trust path from my key to the linux archive key at http://pgp.cs.uu.nl/mk_path.cgi?FROM=AC1E715E&TO=517D...
|
|
||||||||||||