Open source and signatures

By Larry Seltzer  |  Posted 2004-12-23 Print this article Print

The No. 1 (as of this columns publication) shareware download on WUGNET,"The Ultimate Troubleshooter," is signed, although not in a way that inspires confidence in me. The program comes from a site called, but the file is signed by eSellerate, "a leading software commerce provider focused on providing the tools and solutions for software publishers to sell more of their software." Im guessing that eSellerate helped to get that placement on WUGNET, but the point is that having a third party sign the program only confused matters (not that there was any chance Id install this program).

As one of my blog readers pointed out, there are open-source projects, such as OpenAFS ("a distributed file system product, pioneered at Carnegie Mellon University and supported and developed as a product by Transarc Corporation [now IBM Pittsburgh Labs]"), that utilize signatures. In fact, Open AFS signs every executable they distribute. The signature belongs to "Secure Endpoints Inc.," but thats OK, since it only takes a few minutes to see that Secure Endpoints is now responsible for AFS development.

But with open-source projects its even more important, in that anyone can make a modified copy. Combine that with the fact that these files could be appearing from almost anywhere and its clear that open source needs some sort of system to let users verify the authenticity of programs they download.

The popular approach to this has been the MD5 hash, a mathematical function run on the contents of the file, something like a super-checksum. You get the MD5 value for a particular file from the same place you download it (it may be in a file in the same download directory) and, using a variety of free utilities, you can generate your own MD5 hash and confirm that it matches.

I eventually found the Firefox MD5 values in the file I checked the specified values against my own MD5 of the Firefox Setup 1.0.exe file (I generated it with Cyohash, the download for which was not signed), and—lo and behold—it matched.

Now I expected it to, but this verification was not an easy thing to do. Very few people check signatures, but Windows very often puts the details of the signatures in your face, especially in Windows XP SP2. Firefox makes no mention of it. As a matter of practicality, the MD5 process is opaque.

And in the long term, MD5 may be inadequate as a security mechanism. Researchers are already working on ways to defeat it, although the attacks are, for now, "not wildly practical."

The open-source community needs to come up with a solution to this problem. Signatures really are a good solution, and they can be gotten for free. Development tools need to make it easy to sign files, and user environments need to make it easy to check the signatures. At that point it really wont matter where the mirrors are or how many times you get redirected. You can know that the file you download is what it claims to be and from whom it claims to originate.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. More from Larry Seltzer Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel