User: Password:
|
|
Subscribe / Log in / New account

Practical security for 2014

Practical security for 2014

Posted Jan 10, 2014 8:20 UTC (Fri) by Cyberax (✭ supporter ✭, #52523)
In reply to: Practical security for 2014 by ibukanov
Parent article: Practical security for 2014

The way forward would be asking Google to counter-sign user certificates. Perhaps, limiting them to a single machine.


(Log in to post comments)

Practical security for 2014

Posted Jan 10, 2014 10:58 UTC (Fri) by ibukanov (subscriber, #3942) [Link]

How Google can do that signing? It cannot be done via a website, as malware can just submit the key via that web interface.

Practical security for 2014

Posted Jan 10, 2014 16:26 UTC (Fri) by raven667 (subscriber, #5198) [Link]

That's true as far as it goes but as a practical matter a hypothetical key-signing web interface could use CAPTCHAs, verification over email or SMS, require password re-auth to make sure that the owner is in the loop. The central authority also has privileged access to the request logs and can mine them to block the signatures of scripted attacks. So there is not a 100% guarantee of no signed malware but the risk can be mitigated in several ways.

Practical security for 2014

Posted Jan 13, 2014 14:53 UTC (Mon) by epa (subscriber, #39769) [Link]

Each Chromebook would come with a piece of paper listing a secret code you need to type into the web interface for Google to sign your bootloader. Or even a sticker on the bottom of the computer - the point is it's not something which can be read by software.

Practical security for 2014

Posted Jan 13, 2014 18:23 UTC (Mon) by khim (subscriber, #9252) [Link]

This will not work. Said code would need to be kept in some separate database to make sure warranty is properly voided when bootloader is unlocked. But if don't mind voided warranty then you can already remove washer so what's the point?

Practical security for 2014

Posted Jan 17, 2014 9:49 UTC (Fri) by robbe (subscriber, #16131) [Link]

Isn't Matthew's criticism that removing the washer does away with Secure Boot altogether (i.e. it removes any precieved security)?

Practical security for 2014

Posted Jan 17, 2014 13:28 UTC (Fri) by mjg59 (subscriber, #23239) [Link]

Removing the washer allows you to reflash your own keys. You then need to replace the washer in order to re-enable security, otherwise anyone who gains root can replace your keys.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds