tag:blogger.com,1999:blog-25010298.post8861253243690023660..comments2009-02-21T17:11:45.902-08:00hdmhttp://www.blogger.com/profile/02163635320992069812noreply@blogger.comBlogger9125tag:blogger.com,1999:blog-25010298.post-76168467130145872202009-02-21T16:38:00.000-08:002009-02-21T16:38:00.000-08:00I think Dan Kaminsky has a good set of guidelines:<BR/><BR/> * To succeed, your update package must be:<BR/> o Signed.<BR/> o Signed by you.<BR/> o Signed by you, using the right EKU (Extended Key Usage)<BR/> o Signed from an unrevoked signature<BR/> o Be the same product<BR/> o Be a new version<BR/><BR/>Source: www.doxpara.com/DMK_BO2K8.pptJessehttp://www.blogger.com/profile/06843786961743969513noreply@blogger.comtag:blogger.com,1999:blog-25010298.post-36710946028015804882008-07-31T00:44:00.001-07:002008-07-31T00:44:00.001-07:00i think we should define a new standard for update services based on more reliable cryptographic methods. using a distibuted PKI including all Software vendors is not enough but a little step in the right direction.<BR/>kroakadil_http://www.blogger.com/profile/15483716817373375963noreply@blogger.comtag:blogger.com,1999:blog-25010298.post-46986146405244500142008-07-30T18:28:00.000-07:002008-07-30T18:28:00.000-07:00Just using HTTPS/SSL isn't enough--there needs to be proper certificate verification. <A HREF="http://www.security-objectives.com/advisories/SECOBJADV-2008-01.txt" REL="nofollow">SECOBJADV-001</A> is an example of a vulnerability in an updater that uses HTTPS. In this case, it was Lenovo's SystemUpdate which comes installed by default on their laptops.Derek Callawayhttp://systemofsystems.wordpress.comnoreply@blogger.comtag:blogger.com,1999:blog-25010298.post-78862808816948653972008-07-29T22:58:00.000-07:002008-07-29T22:58:00.000-07:00nate: embedding the public key in a signed executable only prevents the executable from being modified. An attacker could simply supply a different executable with his own key embedded in it.egypthttp://www.blogger.com/profile/11769900739692795929noreply@blogger.comtag:blogger.com,1999:blog-25010298.post-20067003350184223252008-07-29T19:14:00.000-07:002008-07-29T19:14:00.000-07:00Colin:<BR/><A HREF="http://www.cs.arizona.edu/people/justin/packagemanagersecurity/papers.html" REL="nofollow">These papers </A> do a pretty good job of outlining the risks and proper protections.<BR/>Note that it's a much harder problem then you might think..Steve Pinkhamhttp://www.blogger.com/profile/04112162930659042936noreply@blogger.comtag:blogger.com,1999:blog-25010298.post-67435097753148397382008-07-29T14:32:00.000-07:002008-07-29T14:32:00.000-07:00Very nice, as always the update procedure should use https.<BR/><BR/>This is a great tool for security demonstration.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-25010298.post-47071333149589935142008-07-28T23:07:00.000-07:002008-07-28T23:07:00.000-07:00Digitally signing updates should solve most of issues imho.dcnnoreply@blogger.comtag:blogger.com,1999:blog-25010298.post-82276217294457255572008-07-28T21:52:00.000-07:002008-07-28T21:52:00.000-07:00We're all doomed! This is neat stuff that everyone knew was coming but hoped would wait just a little while longer to appear.<BR/><BR/>Re: approach to secure updates. Sign them and embed the public key in your executable. Just beware crypto flaws like not checking RSA padding -- get your design reviewed!natehttp://www.blogger.com/profile/11280644250533859717noreply@blogger.comtag:blogger.com,1999:blog-25010298.post-81321881095811985152008-07-28T10:41:00.000-07:002008-07-28T10:41:00.000-07:00Has anyone published a set of guidelines for writing a secure updater?Colinhttp://www.blogger.com/profile/11026919957524455648noreply@blogger.com