[Python-Dev] Hashes on same site as download?

Tim Delaney timothy.c.delaney at gmail.com
Tue Oct 22 03:47:01 CEST 2013


On 22 October 2013 12:21, Dan Stromberg <drsalists at gmail.com> wrote:

>
> I may be missing something, but it seems the Python tarballs and hashes
> are on the same host, and this is not an entirely good thing for security.
>
> The way things are now, an attacker breaks into one host, doctors up a
> tarball, changes the hashes in the same host, and people download without
> noticing, even if they verify hashes.
>
> If you put the hashes on a different host from the tarballs, the attacker
> has to break into two machines.  In this scenario, the hashes add more
> strength.
>

I'm not a security expert, but I can't see how that gives any more security
than the current system (I tried to find whatever article you're talking
about, but failed). It doesn't matter if you provide downloads in one place
and direct people to get the hashes from elsewhere. An attacker has no need
to compromise the server where the hashes are stored - they only need to
compromise the server that tells you where to get the downloads and hashes.

Then the attacker can simply change the download page to direct you to the
malicious downloads, hashes and keys (which they can place on the same
server, so everything looks legit).

Off the top of my head, one way that would give more security would be to
store a hash of the download page itself elsewhere (preferably multiple
places) and periodically compare that with the live version. Any changes to
the live page would be noticed (eventually) unless the attacker also
compromised all those other machines.

Tim Delaney
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20131022/791d7243/attachment.html>


More information about the Python-Dev mailing list