Re: Severity of Failed checksum for PKGBUILD

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 02/20/2015 07:22 PM, Dolan Murvihill wrote:
> CAs can, and have, deliberately issued fraudulent certificates.
> TrustWave is the only one that has been discovered doing this ---
> and that, only because they came forward on their own years after
> the fact. The security community generally agrees that many, many
> of the less reputable CAs have done or are doing this. TrustWave
> is, by the way, still trusted.
> 
> In addition, there have been many, many fraudulent certificates
> issued by CAs that were not keeping their network secure. Such CAs
> rarely have their trust revoked in practice.
> 
> The bottom line is that the CA network is large and complex, and
> your browser trusts thousands of CAs all over the world, including
> some that are... erm... sketchy. You seem to have an awful lot of
> confidence, considering the size of that attack surface.
> 
> I'd be happy to continue this discussion, but we should split it
> into a separate topic.
> 
> -Dolan
> 

I underestimated how often that has happened. It seems I really should
not have as much trust in all certificate authorities.

So why is it recommended that Arch PKGBUILDs use SHA checksums rather
than MD5 if it rarely helps? Just because we can and it sometimes does
help?


[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux