Targeting users of soft designed for encrypting data & comm

For discussions about security.
Post Reply
Message
Author
belham2
Posts: 1715
Joined: Mon 15 Aug 2016, 22:47

Targeting users of soft designed for encrypting data & comm

#1 Post by belham2 »

http://www.securityweek.com/strongpity- ... unications

Further reason to triply make sure what you're looking for is the official site (always go to DuckDuckGo/Google/Bing first for site verification,, and never come from a link) and not some well-designed fake. And second, to make sure to us GPG and/or strong digital-code signing for verification when downloading anything from the Internet. Outside of the ease today which it is to check md5/sha1/sha256/sha512 sums, GPG verification can still be a bit clumsy. But GPG --keyserver, then --fingerprint, then --verify is always worth the time to perform (from terminal), plus any extra time it initially takes you to learn it & to make it become 2nd nature when downloading anything off the worldwide net. Even things like browsers, i.e. Firefox--always check the sha256 & PLUS the GPG signature signing those. Don't fool yourself thinking that if you see "https://...." in your browser window, when you are downloading from the Internet, that you are completely safe and do not need to worry about anything other than md5/shasum file integrity checking.


I am not aware of any existing on murga, but have always wondered if any of the pup builders would ever include GPG signing, like many small linux (the big ones it is standard practice) distros do, for their pup OS downloads? Creating a PGP key, uploading that key to just one GPG keyserver (which automatically updates all keyservers), is not hard. Yes, the md5/shasums now provided by pup builders are great, but most people still don't understand md5/shasums provide no security. Md5/shasums only check file integrity, i.e., that we are getting the same file as is on that server. But if that server ever gets compromised, we as users would never, ever know until it is too late because the pup distro is not GPG signed & we had no way to check that crucial security (that we are actually getting the PupOS the builder intended).

Pffffft, hey, no sweat, we've nothing to worry about, right?? it's not like servers and/or download sites (even Google's) can ever get compromised. :(

s243a
Posts: 2580
Joined: Tue 02 Sep 2014, 04:48
Contact:

#2 Post by s243a »

So though we would already have to have the GPG key before the server get's compromised. If we are security conscious we likely wood but it will take some education of users about security practices.

Scooby
Posts: 599
Joined: Sat 03 Mar 2012, 09:04

#3 Post by Scooby »

Good ideas about code-signing but the article is exclusively
about threats on the spyware platform formerly known as Windows

Post Reply