New toy: SSLbar

Pete Chown Pete.Chown at skygate.co.uk
Wed Jun 25 07:02:39 EDT 2003 

Steven M. Bellovin wrote:

> From a security point of view, why should anyone download any plug-in 
> from an unknown party?  In this very specific case, why should someone 
> download a a plug-in that by its own description is playing around in 
> the crypto arena.

I think this is a problem for all open source projects.  Suppose I wrote 
a trojan open source product.  Although the code is open for review, how 
many people actually do review it?  I could list the product on 
Freshmeat, and if it looked like an exciting piece of technology, quite 
a few people might download it.  Probably quite soon someone will find 
the back door, the story would probably be reported on sites like 
Slashdot, and the game would be up.  However, I could have done a lot of 
harm in the meantime.

The other approach would be to contribute trojan code to another open 
source product.  I don't personally think that there is any of SCO's IP 
in the Linux kernel, but SCO's story isn't completely implausible.  A 
rogue contributor could submit code that was SCO's copyright -- or 
contained a back door.  In the case of the Linux kernel, I doubt a back 
door would work because there seems to be quite a lot of peer review. 
However, for other projects it might work okay.

These attacks apply in the corporate world as well, but to a lesser 
extent.  Usually you have a better idea who someone is when you pay them 
money; this is a deterrent because it is a crime to ship trojan software 
wilfully.  It also takes effort to infiltrate someone into a company's 
programming team; contributing code from an anonymous Internet account 
is much easier.

On the other hand, once a back door is installed in binary-only 
software, it is much less likely to be found.  The Interbase back door 
was only found when the source was opened.

I think there are two defences against these attacks.  The first is 
based on developers' reputations.  If you don't have a strong 
reputation, people are much less likely to report on your new open 
source product, and much less likely to download it.  This means that an 
attack might succeed against a few people, but it would be unlikely to 
compromise thousands of machines.  (A moderated Freshmeat would be nice 
here -- you could have a site where a condition of listing your project 
was that you reviewed a certain number of others.)

The second defence is the amount of work that it takes to produce a 
project that someone would be interested in.  If I produced a clone of 
Word, and put a back door in it, no doubt lots of people would download 
it.  However, the work is not justified by the reward; there are simpler 
ways of compromising machines.

-- 
Pete


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list