I am trying to download a version of OpenSSH newer than the one preinstalled with my OS. But sadly I find that I can only download it through *unsecured* plain http/ftp/rsync protocol, vulnerable to attacks by anyone in the network path. It is odd that *the* software about security and encryption across untrusted network is distributed to everyone insecurely and not encrypted. Is there any future plan to distribute OpenSSH over secured channel, such as https?
On Sun, Oct 12, 2014 at 10:52 AM, Ren Siyuan <netheril96 at gmail.com> wrote:> I am trying to download a version of OpenSSH newer than the one preinstalled with my OS. But sadly I find that I can only download it through *unsecured* plain http/ftp/rsync protocol, vulnerable to attacks by anyone in the network path. It is odd that *the* software about security and encryption across untrusted network is distributed to everyone insecurely and not encrypted. Is there any future plan to distribute OpenSSH over secured channel, such as https?Er, what about checksum?> _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> insecurely and not encrypted. Is there any future plan to distribute > OpenSSH over secured channel, such as https?why? the sources are signed. also, anoncvs is over ssh.
On 2014-10-12 08:52, Ren Siyuan wrote:> I am trying to download a version of OpenSSH newer than the one preinstalled with my OS. But sadly I find that I can only download it through *unsecured* plain http/ftp/rsync protocol, vulnerable to attacks by anyone in the network path. It is odd that *the* software about security and encryption across untrusted network is distributed to everyone insecurely and not encrypted. Is there any future plan to distribute OpenSSH over secured channel, such as https?Are you saying you cannot trust the checksum posted on openssh.com? -- Yves.
Ren Siyuan <netheril96 at gmail.com> on Sun, 2014/10/12 22:52:> I am trying to download a version of OpenSSH newer than the one > preinstalled with my OS. But sadly I find that I can only download it > through *unsecured* plain http/ftp/rsync protocol, vulnerable to attacks by > anyone in the network path. It is odd that *the* software about security > and encryption across untrusted network is distributed to everyone > insecurely and not encrypted. Is there any future plan to distribute > OpenSSH over secured channel, such as https?OpenSSH development team provides GPG signature for their source tarballs. So download the tarball with whatever (unsecure) protocol you prefer, download the gpg signature file (ending .asc) and verify with gpg: % gpg --verify openssh-6.7p1.tar.gz.asc gpg: Signature made Mon 06 Oct 2014 05:40:59 AM CEST using RSA key ID 6D920D30 gpg: Good signature from "Damien Miller <djm at mindrot.org>" [unknown] Primary key fingerprint: 59C2 118E D206 D927 E667 EBE3 D3E5 F56B 6D92 0D30 HTTPS does provide secure data transfer, but does not guaranty data is what developers intended to provide. If you download a compromised source tarball via HTTPS it is still compromised. -- Schoene Gruesse Chris O< ascii ribbon campaign stop html mail - www.asciiribbon.org -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20141012/04568487/attachment-0001.bin>
How do I trust the key then? On Oct 12, 2014, at 23:05, Christian Hesse <mail at eworm.de> wrote:> Ren Siyuan <netheril96 at gmail.com> on Sun, 2014/10/12 22:52: >> I am trying to download a version of OpenSSH newer than the one >> preinstalled with my OS. But sadly I find that I can only download it >> through *unsecured* plain http/ftp/rsync protocol, vulnerable to attacks by >> anyone in the network path. It is odd that *the* software about security >> and encryption across untrusted network is distributed to everyone >> insecurely and not encrypted. Is there any future plan to distribute >> OpenSSH over secured channel, such as https? > > OpenSSH development team provides GPG signature for their source tarballs. So > download the tarball with whatever (unsecure) protocol you prefer, download > the gpg signature file (ending .asc) and verify with gpg: > > % gpg --verify openssh-6.7p1.tar.gz.asc > gpg: Signature made Mon 06 Oct 2014 05:40:59 AM CEST using RSA key ID 6D920D30 > gpg: Good signature from "Damien Miller <djm at mindrot.org>" [unknown] > Primary key fingerprint: 59C2 118E D206 D927 E667 EBE3 D3E5 F56B 6D92 0D30 > > HTTPS does provide secure data transfer, but does not guaranty data is what > developers intended to provide. If you download a compromised source tarball > via HTTPS it is still compromised. > -- > Schoene Gruesse > Chris > O< ascii ribbon campaign > stop html mail - www.asciiribbon.org-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 496 bytes Desc: Message signed with OpenPGP using GPGMail URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20141012/ce249203/attachment.bin>