Re: CVE for Kali Linux

["David A. Wheeler" <dwheeler () dwheeler com>]

On Sun, 22 Mar 2015 20:23:00 +0300, Solar Designer <solar () openwall com> wrote:
> IMO, http vs. https is a red herring.  We shouldn't be focusing on
> security of software downloads, but rather on authenticity of the
> software.  If the distribution web server gets compromised, https
> doesn't help.  Thus, GPG signatures and the like.

I agree with you in *principle*.  However, people almost never check signatures
if that process is a separate step. HTTPS is far more secure than
"HTTP plus signatures that are never checked" :-).
Their switch from HTTP to HTTPS for executable downloads is an improvement in *practice*.
(All other downloads are checked with signatures and cryptographic hashes; the
challenge, as always, is getting started with a trust root.)

We need to find ways to make checking essentially automatic in ways it's not today,
preferably ways that don't create more monopoly control points.
Yes, I'm aware that there many places where they *are* checked automatically;
I'm focusing on the areas where they are not.

--- David A. Wheeler