LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Vsftpd backdoor discovered in source code (The H)

Vsftpd backdoor discovered in source code (The H)

Posted Jul 5, 2011 8:10 UTC (Tue) by farnz (guest, #17727)
In reply to: Vsftpd backdoor discovered in source code (The H) by hpro
Parent article: Vsftpd backdoor discovered in source code (The H)

That's why you want digitally signed signatures (GPG can create such things). If the maintainer is dealing with the same upstream for a while, the change of signing key is a major event, and worth cross-checking by other routes (e-mail, IRC). Even better - if upstream can get involved in the PGP Web of Trust, a change of key to an attacker's key that aims to look like upstream's key will change from a key you trust to an untrusted key, giving you a chance to intervene.

(Log in to post comments)

Vsftpd backdoor discovered in source code (The H)

Posted Jul 5, 2011 8:23 UTC (Tue) by hpro (subscriber, #74751) [Link]

Digital signatures within your Web of Trust are very nice, but realistically, you usually only have a checksum next to the download link when you are downloading the source for some project yourself.

But then again, in the end you might just be downloading a program that is malicious to begin with, and no checksums can help you with that. (E.g., Android Market)

Vsftpd backdoor discovered in source code (The H)

Posted Jul 5, 2011 9:37 UTC (Tue) by tialaramex (subscriber, #21167) [Link]

Verifying an OpenPGP detached signature would be more reliable for package maintainers though since they would quickly develop a history. It's the same rationale as web browser add-ons that alert you when the SSL cert for a site you visit _changes_ on the basis that it's far more likely bad guys will attempt a MitM attack somewhere between your 1st and Nth visit than before the 1st visit.

This seems like it's worth building into package building automation. "Download new source" should be "Download, verify as authentic and refuse to continue if not" for every package that provides detached signatures. This would require explicit intervention if the author (or rather signer) changes, but that is a significant event of which the maintainer certainly should be aware.

Vsftpd backdoor discovered in source code (The H)

Posted Jul 5, 2011 13:04 UTC (Tue) by drag (subscriber, #31333) [Link]

Plus it's very important to make sure that the servers that have the hash/signature/keyrings are going to be different from the ones that manage the packages.

You don't want one server compromise allow the attacker to not only upload his own package, but sign it also.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds