User: Password:
Subscribe / Log in / New account

Rant about "mark it trusted" dialog

Rant about "mark it trusted" dialog

Posted Mar 5, 2009 11:02 UTC (Thu) by forthy (guest, #1525)
Parent article: Desktop malware risk gets raised and patched

I don't think this dialog will help. The e-mail will contain a text, describing "Just drag the file onto your desktop. When you open it first on a Linux machine, you might get a strange and cryptic warning message - I don't know why, must be a bug, but just clicking on "trust the file" worked for me." And users are already trained to click away all those warning messages without giving them the tiniest bit of thought.

What's worse is that repositories like SuSE's community repositories give a false sense of being trustworthy by having public key signatures - but no trust chain whatsoever! The only thing the user can do on these occasional key changes is to import the new key - he has no idea why the key has changed, if this is a man-in-the-middle attack or whatever. The people who operate these repositories should go to a key signing party on the next Linux related event, and get signatures of a few hundred Linux enthusiasts on their personal key, which they then use to sign the repository key (plus a signature of the distributor's master key) - this will allow to set a level of trust for the key. Note that SuSE's one-click-install is another extremely easy way to get software installed. But at least the user knows that it is software, which is installed (though without trust chain, it's impossible to verify how trustworthy the source is).

(Log in to post comments)

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds