On Aug 4, 2008, at 9:56 PM, h.b.furuseth@usit.uio.no wrote:
Kurt@OpenLDAP.org writes:
On Aug 4, 2008, at 2:06 PM, h.b.furuseth@usit.uio.no wrote:
Kurt@OpenLDAP.org writes:
I note as well that properly deploying release signing requires more than script modification. For instance, one does need to consider that the host to sign the releases might itself been taken over and the implications of such a takeover.
For that part, signatures in the 'https:' site would help.
I think you need to re-think that assertion.
Er, yes, I was thinking of the "outside" equivalent, hacking DNS and "taking over" that way.
Those mounting such attacks are more likely to take over google.com than openldap.org.
I have the impression that's the most common way to "take over" a site, but I may be wrong.
I would say it's a more commonly talked about "take over" approach at present. Though I don't know if its more common that other major site "take over" approaches. But "take over" of small sites, such are openldap.org, are different because the goal is different. Folks "take over" major sites (generally in an isolated way, such as via a particular ISP) because there is a reasonable chance that users will access the taken over site. These take overs often are attempts to install malware on user systems (be careful, that google search button might not be a true google search button).
Take over of small sites is commonly done to deface the site, to gain notoriety or to grind an axe or something.
So, I'm not particularly worried about former, but am worried about the latter.
But you and others brought up https:// in the context of a PGP signing discussion. This is, I think, confused.
-- Kurt