How important is it to verify a signature (of say Mullvad Browser)?
-
Thank you for taking the time to write all that! I did do what you described, but the RSA key I got at the end was different from what Mullvad's webpage says, which is the same as what you put, I think: 6131 . . . etc.
Good signature from "Tor Browser Developers (signing key) <[email protected]>" [full]Did you see this notification at all when you verified the key signature?
-
Good signature from "Tor Browser Developers (signing key) <[email protected]>" [full]Did you see this notification at all when you verified the key signature?
Yes, I got:
Good signature from "Tor Browser Developers (signing key) <[email protected]>" [full]Does that mean it's ok? Maybe Mullvad just needs to update their website?
-
Because it's kind of hard! Even if I follow their instructions. Maybe I'm just dumb . . .
If it is hard, it is usually unnecessary. Unless it is a critical software (like a firmware update), or you suspect that somebody manipilates your traffic (which is highly unlikely on https sites)
-
Because it's kind of hard! Even if I follow their instructions. Maybe I'm just dumb . . .
From Mullvad support:
-
If it is hard, it is usually unnecessary. Unless it is a critical software (like a firmware update), or you suspect that somebody manipilates your traffic (which is highly unlikely on https sites)
Not necessarily traffic. Often download sites use mirrors to serve you the download. Sometimes those links are provided via a CDN which can be forced to comply to LEA or some other static hosted mirrors which are often hosted by others. The second part is more likely on community managed software.
So either traffic or the server/CDN behind the link. Happened before.
-
Because it's kind of hard! Even if I follow their instructions. Maybe I'm just dumb . . .
You should always verify signature and hash for any software you are installing but also keep in mind that if someone was really trying to send you a malicious download then there's good chance that they will also deliver you a malicious signing key and hash. And there is really no good solution. If it is critical you can try to get signings keys from different places and with different IPs and maybe even different devices but pick and choose how long do you want to go down this rabbit hole.
-
The important is to do it the first time. Then just upgrade the app.
That's a bad advice you don't know how they are updating it. If it is added in the repo then package manager will check the signing key but if it is an in app update then that may not be verifying the new package and if someone is doing MITM they can switch it up
-
That's a bad advice you don't know how they are updating it. If it is added in the repo then package manager will check the signing key but if it is an in app update then that may not be verifying the new package and if someone is doing MITM they can switch it up
I donโt think itโs bad advice for most people. Maybe itโs just bad advice for your treat model
-
I donโt think itโs bad advice for most people. Maybe itโs just bad advice for your treat model
Yeah I guess so. Due to SSL if you want to perform successful MITM you'll need to have control of DNS and must have rootCA installed on there system/browser. And if it is a supply chain attack where source it self corrupted then there is no hope.
-
Because it's kind of hard! Even if I follow their instructions. Maybe I'm just dumb . . .
What's your OS and how are you installing it? It'd be normal for a package manager to check this for you.
-
System shared this topic on
