Wireshark-bugs: [Wireshark-bugs] [Bug 1086] New: GPG key for releases should be signed to preven
Date: Fri, 1 Sep 2006 22:18:00 +0000 (GMT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1086

           Summary: GPG key for releases should be signed to prevent Trojans
           Product: Web sites
           Version: N/A
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: Low
         Component: Main site - www.wireshark.org
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: rmunn@xxxxxxxxx


The GPG key used to sign the
http://www.wireshark.org/download/SIGNATURES-0.99.3.txt file (and future
release signatures) is currently (as of September 1st, 2006) self-signed but
has no other signatures on it. This leaves open the possibility of a Trojan
attack: if someone manages to get enough access to the wireshark.org site to
upload a Trojaned binary, he could also simultaneously upload a faked GPG key
to make his Trojaned binaries look legit.

In fact, for all we know, this could already have happened. Not that I actually
think this likely, but in the field of security, the right question isn't "Am I
being paranoid?" The right question is, "Am I being paranoid *enough*?" :-)

To protect against this, it would be best if Gerald Combs could get his key
signed by some other well-known GPG keys. "Well-known GPG keys", in this case,
would be keys that are signed by enough other keys to be part of the primary
Web of Trust. This avoids someone uploading a faked key with six signatures
that turn out to be "Sock Puppet #1, Sock Puppet #2, Sock Puppet #3...".


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.