The level of assurance you get with a signing key downloaded over HTTP and one downloaded over HTTPS is roughly equivalent. Sure, HTTPS gives you a degree of protection from MitM attacks, but it won't stop attackers (whether criminals or militaries) from hacking the web server and changing both the software and the signing keys---after all, if one is possible, so is the other.
Clearly we have different concepts of "roughly equivalent" :) One means everyone on your network can trivially serve you trojanized binaries, the other doesn't.
I think hacking a web server is a lot easier than hacking a network connection. Hacking web servers is well within the capabilities of your average vandal, while hacking network links in order to perform a MitM attack requires significant resources (e.g., those of a large criminal syndicate or an intelligence service, but I repeat myself).
Edited to add: ARP-spoofing the right LAN requires spearphishing and APT, which I think also require significant resources.
The level of assurance you get with a signing key downloaded over HTTP and one downloaded over HTTPS is roughly equivalent. Sure, HTTPS gives you a degree of protection from MitM attacks, but it won't stop attackers (whether criminals or militaries) from hacking the web server and changing both the software and the signing keys---after all, if one is possible, so is the other.
Clearly we have different concepts of "roughly equivalent" :) One means everyone on your network can trivially serve you trojanized binaries, the other doesn't.
I think hacking a web server is a lot easier than hacking a network connection. Hacking web servers is well within the capabilities of your average vandal, while hacking network links in order to perform a MitM attack requires significant resources (e.g., those of a large criminal syndicate or an intelligence service, but I repeat myself).
Edited to add: ARP-spoofing the right LAN requires spearphishing and APT, which I think also require significant resources.
1 reply →