Secure downloads

Recently, a 0day security flaw was published for ProFTPd. The ProFTPd crew responded quickly, and patched the flaw within a few days. Unfortunately, the server used to host the source code got compromised, and criminals were able to add a backdoor to the source code on the official distribution servers. Even though the added backdoor invalidated the provided gpg signatures, it took three days for the issue to be found and fixed.

The true problem with signing the source code is that it’s not a way to protect your users. It is a way to allow your user to protect themselves. If users don’t check the signatures, they are not protected. While checking a signature isn’t particularly hard, it’s quite a bit of extra work. In addition to downloading the tarball, you need to download the signature, obtain and verify the key, and verify the signatures. These extra steps take quite a bit of extra time, and most users don’t want to spend that time. Fortunately for debian-users, apt-get can do most of these tasks for you automatically.

Though apt-get automates most of the work for you, there is one step which needs human intervention: verifying the key. If our download server is compromised, the attacker could not only replace the sourcecode and executables, he could also replace the signatures and the public key we host there. Once both the public key and the signatures are compromised, new users have no way of knowing the signatures are fake. Fortunately, our public key is also hosted elsewhere (in all public key servers). The ID is 4EAC69B9.

You should always check the key before importing it, but we’re aware few people actually do that. To reduce the risk, our download server (which hosts the signed content) and our webserver (which provide instruction for getting the key) are independent machines on independent Linux distributions with very different software profiles. Both machines would need to be compromised in order for the user to be tricked into downloading compromised code. Though this is certainly not impossible, the likelyhood is low.