[openssl-users] Checksum for openssl-1.0.2p download

[Michael Wojcik]

> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
> Of Jakob Bohm
> Sent: Wednesday, September 12, 2018 17:18
>
> Testing your OpenSSL download with the HTTPS security bites its
> own tail, especially if your download tool uses an (older) version
> of OpenSSL to check the connection.

And as I noted in my previous email, the HTTPS PKI is rubbish. Historically there have been numerous successful attacks on it, even in modes that do not involve user intervention.

It's better than nothing, but checking the PGP signature is defense in depth that does not rely solely on the integrity of the HTTPS PKI.

> But unless you have an established personal list of GPG/PGP keys
> you have checked against their holders in person yourself, checking
> the HTTPS certificate of the OpenSSL.org web server is pretty much
> all you can do to distinguish between a genuine and a fake first time
> OpenSSL download (signatures on later downloads can be compared to
> previous downloadsfor some degree of signature consistency).

There are plenty of other channels that can be used to validate the PGP public key used to confirm the signature of the OpenSSL tarball. None of them are secure in themselves, but by using multiple channels, the defender greatly increases the attacker's work factor and risk of discovery. That's the whole point of defense in depth.

It's not hard to learn how to install an OpenPGP implementation (most likely gpg) and use it to verify a detached signature. There are many tutorials available online. I don't think a lack of experience with PGP or gpg is a valid excuse for not validating the signature.

> Of cause some real knowledge is needed to not use the OpenSSL source
> code incorrectly, unless you are merely compiling other peoples
> software exactly as instructed.

Yes. And this is a much more likely source of problems than a counterfeit OpenSSL distribution.

--
Michael Wojcik
Distinguished Engineer, Micro Focus