It would seem a trivial matter to use DNS for checking MD5 sums from several locations. I mean, sure, DNS is easily spoofed, and there's issues about how to get the MD5 sums into the DNS DB securely, and a bunch of other problems... but as far as defense in depth, it would seem more prudent than relying on MD5 checksums that reside on the same host as the possibly trojaned files. Just add into package installing software the functionality to check the MD5 sums from a couple different DNS servers, using a lookup that requests the DNS name of openssh-makefile.openbsd.org and recieves a CNAME of md5string.openbsd.org, or an IP address based on a hash of the MD5 sum (I'm no cryptographer, but I imagine someone could figure it out. S/key uses hashes converted to words -- that's pretty goofy, but it works). It would raise the bar, not solve the problem. But raising the bar certainly won't hurt... except for when someone figures out that there's an unchecked buffer in the DNS resolver, but something like that surely wouldn't ever happen. -tcannon PS: Yes, I know there was a problem with DNS resolver libraries recently. It was a joke. Ha ha. *sigh...* On Mon, 5 Aug 2002, Nick Lange wrote: > Ok, a weekend late [ I forgot to send this]... > > once again, forcing a web of trust on the code we deploy anyways... > so we can either take up Signature authorities for files on the net [Which I > don't like... as this is only the first real case of poisoned files on a big > distro] > OR > have MD5 Sums from multiple locations pulled and then an average presented > to the user, assuming that these locations wouldn't be updated as fast > [perhaps forcing a 1-2 day delay on updating any sums for a given mirror > except for new entries?] we can increase the probability that a release can > be trusted slightly... > or perhaps, if I am mirror A have a watchdog script compare my md5 sum to > every other md5 sum accross the mirrors, and take some action should the > ratio of unmatching MD5's falls below a certain percentage... > or something like that. > Do scripts like that exist already? > Cheers, > nick > ----- Original Message ----- > From: <wozzat_private> > To: "Eirik Seim" <defaultat_private> > Cc: <vuln-devat_private>; "Steve Wright" <stevewat_private> > Sent: Friday, August 02, 2002 1:20 PM > Subject: Re: Re: ssh trojaned > > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Of course, verifying checksums does you no good if the checksums have been > replaced along with the binary. Be sure to aquire your checksums from some > other, presumably safe, location. > > > > On Thu, 1 Aug 2002 22:41:39 +0200 (CEST), Eirik Seim <defaultat_private> > wrote: > > > > > > > >Oh, and the guys that inserted the trojan might easily had access to more > > >on the same ftp site, and subsequently also its mirrors. If you don't > > >usually verify checksums, now is a great time to start doing so. > > > > > > > > >- Eirik > > >-- > > >New and exciting signature! > > > > > > > > > > > > > -----BEGIN PGP SIGNATURE----- > > Version: Hush 2.1 > > Note: This signature can be verified at https://www.hushtools.com > > > > wlsEARECABsFAj1KzbEUHHdvenpAMHhkZWFkYmVlZi5vcmcACgkQ1vK8vFo3sjzZEQCf > > YpqiXaafmDfMuhErWoaJ/u86csgAoLvBK8uxMoIDpfZdfOwBrwdnRRYD > > =EoUt > > -----END PGP SIGNATURE----- > > > "No brain, no headache"
This archive was generated by hypermail 2b30 : Mon Aug 05 2002 - 13:43:02 PDT