[clamav-users] Database updated over unencrypted connection?

Joel Esler (jesler) jesler at cisco.com
Sun Mar 17 22:09:33 EDT 2019


As Micah said, when we roll out the new version of freshclam that supports https, this will be a done deal.   Technically, https on the cdn is available now.  Freshclam just doesn’t know how to use it.  We want people to freshclam. As the way it functions does so in a way that reduces load on the mirrors and allows us to plan and predict how updating will work.  Not something we can do if people are using wget or curl to download the entire main, daily, safebrowsing, and bytecode cvd’s every second (looking at you, person in Japan). 

It’s not a question of if we are going to do it.  It’s not even a question of when.  We know we are and we know when.  There are only so many hours in the day, and we haven’t gotten to this one yet.  This debate, while interesting is essentially pointless.  We’re going to do it.  

Sent from my  iPhone

> On Mar 17, 2019, at 21:25, Paul Kosinski via clamav-users <clamav-users at lists.clamav.net> wrote:
> 
> Looking at the PiperMail thread about how ClamAV verifies CVD
> signatures, I see two things that concern me.
> 
> First, it says it uses "an implementation of RSA inspired by
> http://www.erikyyy.de/yyyRSA/". How well has this implementation been
> vetted? I'm not a crypto expert (by any means), but people like Bruce
> Schneier stress that doing crypto right is difficult, and that there
> are many possibilities for subtle errors that cause the encryption to
> be weak. Witness the non-random seed that turned up in Debian a few
> years ago, or the recent Elliptic Curve "scandal".
> 
> Second, if the decryption key is baked in to ClamAV, what protocol is
> there to update it in case the encryption key is compromised? I presume
> it would require a ClamAV software update, but such an update would be
> critical, and the current out-of-date notice wouldn't cut it. In fact
> the fake CVD might even lie about the need for a software update.
> 
> I'm not saying that HTTPS would answer these questions, but perhaps a
> more robust security model would be desirable.
> 
> 
> On Fri, 15 Mar 2019 16:47:02 +0100
> Arnaud Jacques <webmaster at securiteinfo.com> wrote:
> 
>> Hello,
>> 
>>> Le 15/03/2019 à 16:04, instaham--- via clamav-users a écrit :
>>> Leonardo Rodrigues wrote:
>>>>     the databases are digitally signed, and any modification, such
>>>> in a man-in-the-middle attack, would break the signature and
>>>> freshclam would refuse to run the files.
>>> 
>>> Sounds good. Can you please explain how this works in detail?
>>> 
>>> Apt places GPG keys in the system and uses them to verify
>>> downloaded data.
>>> 
>>> It doesn't seem that ClamAV placed any GPG keys in my system. So
>>> how is the verification happening?
>> 
>> Read on 
>> https://lists.clamav.net/pipermail/clamav-users/2018-October/007053.html :
>> 
>> "
>> 
>> The .cvd files have an internal cryptographic signature that's
>> checked by freshclam and clamd/clamscan.  If freshclam and/or clamd
>> accepts the files, you can be assured they are official and
>> unmodified.  This is built into clam; no external tools are called.
>> 
>> "
>> 
>> Btw, it is working for official signatures. 3rd party signatures
>> provide hash based checksum files.
>> 
> 
> _______________________________________________
> 
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20190318/31ca4d2b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3010 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20190318/31ca4d2b/attachment.bin>


More information about the clamav-users mailing list