<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 2014-06-13, 6:57 AM, Jacob S Hoffman-Andrews wrote:<br>
<blockquote cite="mid:539B032E.8090408@eff.org" type="cite">
<blockquote type="cite">As far as I understand, there is no
difference. I am not a crypo expert, but here is my
understanding of the process:
<br>
1) An active attacker can MITM the connection and falsify ANY
data being sent, unless the server certificate is pinned (which
it is not, by deafult).
<br>
2) The signature is verified against EFF public key hardcoded
into the extension. The verification will fail if either the
data or the signature is tampered with (unless the attacker can
modify the hardcoded public key, but then the user is screwed
anyway).
<br>
</blockquote>
This is correct. Detached signatures are just as safe.
<br>
<br>
There's one little quirk in that you'd want to deploy a new
update.json with a new detached sig simultaneously, otherwise some
clients would fetch the old sig with the new update.json</blockquote>
<br>
Okay, I think I understand properly now. I had forgotten that
signatures are produced using a private key, so can't be so easily
faked by an attacker.<br>
So our proposed method for determining the authenticity of the
update.json file is this:<br>
Reduce the format down to <br>
{<br>
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
<pre><code> "branch" : <ruleset branch>,
"date" : <the date the new db was released>,
"changes" : <a short description of recent changes>,
"version" : <ruleset release version>,
"hash" : <the hash of the db file>,
"source" : <the URL serving the updated ruleset db></code></pre>
}<br>
and then take the signature over the raw bytes in this file. We
write the signature we produce to a file update.json.sig and have
the extension fetch both files, using the contents of
update.json.sig to verify the contents of update.json in the
unparsed form are accurate.<br>
<br>
Is this correct?<br>
</body>
</html>