Fixing security of software downloads with second Root of Trust

There are a lot of security-conscious people around trying to fix the way we download and verify new software, be it a npm script or a new game.

https://github.com/rootkovska/codehash.db — @rootkovska offers to keep a database of hashes on Github

https://theupdateframework.github.io/ — focuses on updates

https://github.com/ellotheth/pipethis — verifying every update against Keybase database seeing who exactly signed it. My favorite one, but lack of adoption like with any sane but unprofitable ideas (looking at you, SecureLogin)

While these projects are a bit forward looking we have a problem today. How do we deal with installations? Normally it’s zero verification and all trust goes to http(s, hopefully):// serving you the content of the script.

For example pow.cx doesn’t even bother with SSL. Here’s what they offer now:

$ curl get.pow.cx | sh

It’s over http and it has no checksum. Fine, you can leave it without SSL, but here is an idea how for anyone new to execute some script which you don’t trust. First you go to your vendor who gives you a script like this:

# not sure if works on all platforms
script=$(curl http://get.pow.cx)
if echo script | shasum -a 256 | grep 5708c28ed70f5aeb31081a46b1ff4b62f772a424563ab73c1132ca08a38ca4e7; then
echo "Installing..."
# echo script | sh
else
echo "Wrong checksum"
fi

THEN you go to a special Root of Trust website. There should be a couple of different websites where you could just paste that script into a <textarea> and get it verified in a second against theirs Roots of Trust, that it’s not backdoored and that the checksum is correct and the software it contains is indeed “Pow”. Maybe it could show how many people verified same hash in last week.

Now you would need to compromise both a vendor (or connection to), and that RoTs website (or connection to).

It’s neither a beautiful nor truly secure solution like real Web of Trust on everyone’s computer, but we are where we are now, and it seems like a good short term patch to “piping into your sh” and complete lack of usable verification (PGP sigs are a joke, I bet even 1% every verifies them manually).