Open source and signatures
The No. 1 (as of this columns publication) shareware download on WUGNET,"The Ultimate Troubleshooter," is signed, although not in a way that inspires confidence in me. The program comes from a site called AnswersThatWork.com, but the file is signed by eSellerate, "a leading software commerce provider focused on providing the tools and solutions for software publishers to sell more of their software." Im guessing that eSellerate helped to get that placement on WUGNET, but the point is that having a third party sign the program only confused matters (not that there was any chance Id install this program). As one of my blog readers pointed out, there are open-source projects, such as OpenAFS ("a distributed file system product, pioneered at Carnegie Mellon University and supported and developed as a product by Transarc Corporation [now IBM Pittsburgh Labs]"), that utilize signatures. In fact, Open AFS signs every executable they distribute. The signature belongs to "Secure Endpoints Inc.," but thats OK, since it only takes a few minutes to see that Secure Endpoints is now responsible for AFS development.The popular approach to this has been the MD5 hash, a mathematical function run on the contents of the file, something like a super-checksum. You get the MD5 value for a particular file from the same place you download it (it may be in a file in the same download directory) and, using a variety of free utilities, you can generate your own MD5 hash and confirm that it matches. I eventually found the Firefox MD5 values in the file ftp.mozilla.org/pub/mozilla.org/firefox/releases/1.0/M5SUMS. I checked the specified values against my own MD5 of the Firefox Setup 1.0.exe file (I generated it with Cyohash, the download for which was not signed), andlo and beholdit matched. Now I expected it to, but this verification was not an easy thing to do. Very few people check signatures, but Windows very often puts the details of the signatures in your face, especially in Windows XP SP2. Firefox makes no mention of it. As a matter of practicality, the MD5 process is opaque. And in the long term, MD5 may be inadequate as a security mechanism. Researchers are already working on ways to defeat it, although the attacks are, for now, "not wildly practical." The open-source community needs to come up with a solution to this problem. Signatures really are a good solution, and they can be gotten for free. Development tools need to make it easy to sign files, and user environments need to make it easy to check the signatures. At that point it really wont matter where the mirrors are or how many times you get redirected. You can know that the file you download is what it claims to be and from whom it claims to originate. Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
But with open-source projects its even more important, in that anyone can make a modified copy. Combine that with the fact that these files could be appearing from almost anywhere and its clear that open source needs some sort of system to let users verify the authenticity of programs they download.