Signing installers for added trust

Please post your support questions here.

Moderators: Eraser DevTeam, Eraser Moderators

Signing installers for added trust

Postby jackjack » Fri Jul 08, 2011 3:14 pm

Given the recent issues / compromise, could you look into getting releases signed with PGP/GPG. This enable users to be able to trust the software that is on the site for download.

IIRC this had been broached before and knocked on the head as it was too time consuming for Garrett. To work around that I would suggest that Joel create a key and have Garrett sign it, then either person could sign the installers as they are released.
jackjack
 
Posts: 295
Joined: Tue May 16, 2006 11:58 am

Re: Signing installers for added trust

Postby DavidHB » Fri Jul 08, 2011 7:05 pm

This is not my area of expertise, but given that the plugins are validated with root certificates, and without the plugins Eraser does nothing, is an extra layer of validation actually required?

I assume that the executables now once again posted on the Eraser site are still the same as those that were there before the breach; I know that Garrett and Joel have been checking material before allowing it back on line. Anyone working directly with the source code will presumably be able to spot a serious malfeasance pretty quickly.

David
I am not an Eraser programmer, but a long-time user; my views may not be the same as those of the Eraser programming team.
Before posting, please read the top 4 topics in the Eraser FAQ, which already provide many of the answers users need.
DavidHB
Eraser Wizard
 
Posts: 2166
Joined: Sat Jan 23, 2010 8:10 pm
Location: Isle of Wight, UK

Re: Signing installers for added trust

Postby jackjack » Sat Jul 09, 2011 1:17 am

DavidHB wrote:This is not my area of expertise, but given that the plugins are validated with root certificates, and without the plugins Eraser does nothing, is an extra layer of validation actually required?


There's more to the code base than the plugins..... or what's to say that something was not hidden in the installer, so while the real eraser gets installed $evil_app gets surreptitiously installed at the same time.

DavidHB wrote:I assume


When we assume, we make an ass out of u and me :)

DavidHB wrote:Anyone working directly with the source code will presumably be able to spot a serious malfeasance pretty quickly.


While I would hope, given that Eraser has a relatively small line count that it should be spotted, there are plenty of example of other projects suffering code injection that goes unnoticed for far longer than it should, so there's no reason why the same could not happen to this project.
jackjack
 
Posts: 295
Joined: Tue May 16, 2006 11:58 am

Re: Signing installers for added trust

Postby DavidHB » Sat Jul 09, 2011 9:33 am

jackjack wrote:There's more to the code base than the plugins..... or what's to say that something was not hidden in the installer, so while the real eraser gets installed $evil_app gets surreptitiously installed at the same time.

That is why only the 6.0.8 installer was allowed on line for some time.

jackjack wrote:
DavidHB wrote:I assume


When we assume, we make an ass out of u and me :)

Not so. Foolish or otherwise, everything we say is based on assumptions. So the real question is: are those assumptions reasonable? In this case, knowing the personalities and considering the time lapse before the install files were reposted, the assumption seems reasonable. Joel only needed to chck the hash against a known good copy.

jackjack wrote:
DavidHB wrote:Anyone working directly with the source code will presumably be able to spot a serious malfeasance pretty quickly.
While I would hope, given that Eraser has a relatively small line count that it should be spotted, there are plenty of example of other projects suffering code injection that goes unnoticed for far longer than it should, so there's no reason why the same could not happen to this project.

The Eraser code is also highly modular and heavily commented; changes would tend to stand out. And of course, the question is not: could it be amended (which, of course, it can), but could it be uploaded back to the server? Again, a bit of file checking ought to have provided reassurance.

I don't say that the Eraser materials are 100% secure. Nothing in this world is. What I am questioning is the cost-benefit of adding extra layers of security.

David
I am not an Eraser programmer, but a long-time user; my views may not be the same as those of the Eraser programming team.
Before posting, please read the top 4 topics in the Eraser FAQ, which already provide many of the answers users need.
DavidHB
Eraser Wizard
 
Posts: 2166
Joined: Sat Jan 23, 2010 8:10 pm
Location: Isle of Wight, UK

Re: Signing installers for added trust

Postby jackjack » Sat Jul 09, 2011 11:00 am

DavidHB wrote:That is why only the 6.0.8 installer was allowed on line for some time.


How were people supposed to know this 6.0.8 installer was "safe" Save for the forum (how many people who actually download eraser visit it?), I do not recall anything being mentioned about a breach on the main website (though it is possible I missed something). What about those people who installed the software between the time of the breach and the detection of it, with out a signed installer how could they have known what they were getting was safe? Hashes listed on a website are easily changed, cryptographically strong signatures are not as easy to fake


DavidHB wrote:What I am questioning is the cost-benefit of adding extra layers of security.


(Free software + a couple of seconds additional time to sign + less than 1kb of storage per sig file) is worth the peace of mind for those that need to be sure the software they are getting is what they expect.
jackjack
 
Posts: 295
Joined: Tue May 16, 2006 11:58 am

Re: Signing installers for added trust

Postby DavidHB » Mon Jul 11, 2011 9:10 am

Points taken, but we shall perhaps have to agree to differ as to their weight in the discussion. It's not my call in any case; I shall be interested to see what Joel and Garrett have to say on the issue.

David
I am not an Eraser programmer, but a long-time user; my views may not be the same as those of the Eraser programming team.
Before posting, please read the top 4 topics in the Eraser FAQ, which already provide many of the answers users need.
DavidHB
Eraser Wizard
 
Posts: 2166
Joined: Sat Jan 23, 2010 8:10 pm
Location: Isle of Wight, UK

Re: Signing installers for added trust

Postby jackjack » Mon Jul 11, 2011 3:27 pm

DavidHB wrote:Points taken, but we shall perhaps have to agree to differ as to their weight in the discussion.


Totally, it's not going to be essential for everyone so I understand your stance. As it is I no longer have a use for eraser my self as I've ditched Windows for the time being, however I do have contact with a number of people who really do need this extra level of trust, especially after the incident with the Heidi/Eraser servers.
jackjack
 
Posts: 295
Joined: Tue May 16, 2006 11:58 am

Re: Signing installers for added trust

Postby Joel » Wed Aug 31, 2011 5:05 am

Please allow me to reply in two posts.

Firstly, the compromise did not result in any files modified. Garrett managed to ascertain that the hackers managed to only obtain read access to files on-disk*.

Secondly, Eraser's binaries are all signed by Garrett's and my code signing certificate (Authenticode -- the Windows equivalent of GPG.) I've asked Garrett is request revocation of his certificate for safety purposes; mine is stored on my own server (which was not involved in the compromise)

As the binaries are signed (component DLLs and EXEs), the MSIs in the installer, and the bootstrapper are all signed, I do not think that there is a need for a third layer of security here.

I'll reply to your individual comments in a later post.

*I seem to recall that it was only one folder of the C: drive, but I can't remember which nor recall how many files were in there. Garrett will need to confirm on this.
Be sure to read the FAQ before posting. If you found this application useful, please contribute to Eraser's development.

I develop Eraser but I am not an employee of Heidi Computers Ltd. My views do not represent those of Heidi Computers Ltd.
Don't PM or Email me questions: they won't be answered any faster than on the forum and knowledge won't be accessible by all.
User avatar
Joel
Eraser DevTeam
 
Posts: 3688
Joined: Sat Aug 19, 2006 12:16 am
Location: Singapore

Re: Signing installers for added trust

Postby Joel » Wed Aug 31, 2011 6:36 am

DavidHB wrote:This is not my area of expertise, but given that the plugins are validated with root certificates, and without the plugins Eraser does nothing, is an extra layer of validation actually required?
jackjack wrote:There's more to the code base than the plugins..... or what's to say that something was not hidden in the installer, so while the real eraser gets installed $evil_app gets surreptitiously installed at the same time.
I think Jack's concern is valid -- code can be modified under our noses. However, as mentioned earlier Eraser's sources are on a separate server (hosted by SourceForge) and was not impacted by the compromise.

DavidHB wrote:I assume that the executables now once again posted on the Eraser site are still the same as those that were there before the breach; I know that Garrett and Joel have been checking material before allowing it back on line.
Actually I discarded the copy on the server and uploaded a fresh copy from my own computer.

DavidHB wrote:Anyone working directly with the source code will presumably be able to spot a serious malfeasance pretty quickly.
They will have to temper with SourceForge's server, if they modified the code using SVN the change would be logged.
Be sure to read the FAQ before posting. If you found this application useful, please contribute to Eraser's development.

I develop Eraser but I am not an employee of Heidi Computers Ltd. My views do not represent those of Heidi Computers Ltd.
Don't PM or Email me questions: they won't be answered any faster than on the forum and knowledge won't be accessible by all.
User avatar
Joel
Eraser DevTeam
 
Posts: 3688
Joined: Sat Aug 19, 2006 12:16 am
Location: Singapore

Re: Signing installers for added trust

Postby DavidHB » Wed Aug 31, 2011 6:27 pm

So, unless I misunderstand things, jackjack's request was, in effect, already implemented.

David
I am not an Eraser programmer, but a long-time user; my views may not be the same as those of the Eraser programming team.
Before posting, please read the top 4 topics in the Eraser FAQ, which already provide many of the answers users need.
DavidHB
Eraser Wizard
 
Posts: 2166
Joined: Sat Jan 23, 2010 8:10 pm
Location: Isle of Wight, UK

Re: Signing installers for added trust

Postby Joel » Wed Aug 31, 2011 9:38 pm

Yes -- though I do know why he recommended GPG, because it's open source etc. (just like why Eraser may be preferred over any of the commercial tools) Though I'm inclined to stick to Authenticode, because verification is done by the system automatically, the user does not need to explicitly check (GPG requires you to do so on Windows)
Be sure to read the FAQ before posting. If you found this application useful, please contribute to Eraser's development.

I develop Eraser but I am not an employee of Heidi Computers Ltd. My views do not represent those of Heidi Computers Ltd.
Don't PM or Email me questions: they won't be answered any faster than on the forum and knowledge won't be accessible by all.
User avatar
Joel
Eraser DevTeam
 
Posts: 3688
Joined: Sat Aug 19, 2006 12:16 am
Location: Singapore


Return to Eraser Support

Who is online

Users browsing this forum: Google [Bot], Yahoo [Bot] and 0 guests