Vulnerability of OpenSource Software download mechanisms: VLC
grarpamp
grarpamp at gmail.com
Mon Jul 3 14:16:24 PDT 2017
Using videolan purely as representative example...
Here are some keys...
https://download.videolan.org/pub/keys/
https://keyserver.siccegge.de:11371/pks/lookup?search=0xE58D1ADC&fingerprint=on&hash=on&op=vindex
Their main app is signed.
But like most orgs, they still think unsigned '.md5 / .sha1' text files
are somehow both unbroken crypto hashes, and unmolestable...
https://download.videolan.org/pub/videolan/vlc/2.2.6/
Probably none of rest of their tree / libraries are signed...
https://download.videolan.org/pub/videolan/
Probably also not signed is their repo init hash, or any subsequent
tagged commits (btw, monotone.ca is a bit more integrated there)...
https://git.videolan.org/
And depending on jurisdiction, even looking at these subjects over
cleartext could be a privacy / legal / watchlist nightmare...
https://download.videolan.org/pub/videolan/libdvdcss/1.4.0/
https://download.videolan.org/pub/videolan/libbluray/1.0.1/
https://download.videolan.org/pub/videolan/libaacs/0.9.0/
https://download.videolan.org/pub/videolan/libbdplus/0.1.2/
Any hacked consumer router / wifi / ISP / corp / gov can easily
intercept / replace the 'tarball' '.asc' pair on the fly.
HTTPS can help with that. But even CA's, letsencrypt.org, and browser
cert store are subvertable.
That's why TLS cert fingerprint pinning and cert observatories also exist.
Then you've got ARP, IP and DNS MITM and BGP too, neither have really
globally fully deployed 'SEC' versions yet.
For cookies, there's domain validity and TLS horizon issues.
And for binaries, there's reproducibility and chain of trust back to source.
Then distribution channels and bitrot and hardware / software / service /
human backdoors, exploits, and exploitation.
That's the sad global state of affairs. It's easy to bury your head or be busy.
While imperfect alone, default HTTPS / TLS is free and easy and helps negate
and make things harder in depth, and pisses off some adversaries.
It's part of the game till something better comes, just do it.
To their credit (or Gandi as their possible hoster), this actually works, it's
just not the enforced / exclusive default, which is a fairly easy
switch to flip...
https://www.videolan.org/
https://www.ssllabs.com/ssltest/analyze.html?d=www.videolan.org&s=88.191.250.2&latest
They accept bitcoin...
https://www.videolan.org/contribute.html
Don't look here either...
http://www.labdv.com/aacs/
http://forum.doom9.org/forumdisplay.php?f=9
Curiously, the end2end of onion / i2p / cjdns services bypass
some of those issues, but few clearnet sites offer them.
More information about the cypherpunks
mailing list