User: Password:
|
|
Subscribe / Log in / New account

The backdooring of SquirrelMail

The backdooring of SquirrelMail

Posted Dec 20, 2007 9:23 UTC (Thu) by hickinbottoms (subscriber, #14798)
Parent article: The backdooring of SquirrelMail

Wouldn't it be helpful if the <a> tag could include a hash/signature (I'll refrain from
suggesting which one), that the browser could use to verify the download automatically?

Whilst that wouldn't plug the hole completely (the attacker may be able to compromise both the
web site and the tarball), from the reading of this article it would have meant all
downloaders would have been alerted to the compromise.


(Log in to post comments)

The backdooring of SquirrelMail

Posted Dec 20, 2007 16:21 UTC (Thu) by gerv (subscriber, #3376) [Link]

I've been proposing this for some years now - http://www.gerv.net/security/link-fingerprints/
- and we even got as far as a draft RFC but it received a chilly reception from the IETF. :-(

Gerv

link fingerprints

Posted Jan 4, 2008 23:32 UTC (Fri) by roelofs (guest, #2599) [Link]

I've been proposing this for some years now - http://www.gerv.net/security/link-fingerprints/ - and we even got as far as a draft RFC but it received a chilly reception from the IETF. :-(

Why stop with the IETF? This clearly falls equally under the W3C's purvue--at least, if you consider implementing it as additional attributes to the anchor tag rather than welding it to URI syntax. It seems like an almost ideal XHTML or HTML4.x addition.

Greg

link fingerprints

Posted Jan 5, 2008 12:18 UTC (Sat) by gerv (subscriber, #3376) [Link]

I wanted to make it part of the URI syntax because then it could be used even in non-HTML
contexts - for example, in plain-text emails. But yes, perhaps if that's not going to be
achievable, we could get a significant proportion of the benefits by going via WHAT-WG or W3C
and adding a new attribute to HTML.

Gerv

link fingerprints

Posted Dec 20, 2007 20:44 UTC (Thu) by zooko (guest, #2589) [Link]

I uploaded a package this morning -- zfec v1.3.1.  If give the following hyperlink to the
"easy_install" tool, as in:

easy_install
http://pypi.python.org/packages/source/z/zfec/zfec-1.3.1....

Then easy_install will check that the md5 fingerprint of the resulting tarball matches the one
in the URL fragment and stop with an error message if they don't match.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds