Time for Open-Source to Grow Up

Time for Open-Source to Grow Up
Jon Lasser, 2002-08-07

The OpenSSH backdoor demonstrates that the community must get pragmatic about package verification, and fast.

It's time for the open-source community to grow up. For years we have acted like rowdy, self-confident teenagers demanding the keys to the car, with only occasional success. It's time for us to acknowledge the larger world, and our relationship with it. Our teenage solipsism must go if we hope to blossom into mature, respected grown-ups.

This doesn't mean "selling out," we can retain at least some of our youthful optimism. But we need to find a set of principles upon which we can base our relationships with others -- common ground that we share with the big bad world outside.

The debate over the withdrawn full-disclosure draft and HP's DMCA threats are an obvious case where we need mature, reasonable community standards. Without general agreement on a framework for disclosure, we will continue to be treated like adolescents who refuse to grow up and take responsibility for ourselves.

But the clearest example of the need for a little more maturity is in identity certification.

The recently-discovered Trojan horse that someone snuck into the OpenSSH distribution is an embarrassing reminder that, as a community, we have failed to produce a simple, fail proof means of validating the integrity of software that we download.

Practically Imperfect
It is important to note that the OpenBSD team does not bear direct responsibility for the attack: the primary server is at the University of Alberta, and runs SunOS. The storage space and bandwidth required to serve such popular software is not trivial, and until OpenBSD has functional, stable SMP support, it would be unrealistic to host such a site on OpenBSD anyway.

Likewise, the Portable OpenSSH team did everything right. The public key for the distribution is available, as are detached signatures for the packages.

But who checks PGP signatures?

While Pretty Good Privacy and the GNU Privacy Guard provide a framework for strong cryptography, they don't provide a simple way to validate the source of software. The OpenSSH Trojan would have been thwarted by a package verification system simple enough for users to rely on, rather than simply ignore -- even if it provides less than the mathematically perfect proof of identity of PGP.

X.509 certificates meet this need.

In my opinion, X.509 is a lousy standard. I'm opposed in principle to hierarchical identity assurance -- it does not prove identity effectively, and it is subject to abuse by those at the top of the pyramid. PGP's web of trust and SPKI both seem to me to be more realistic, more natural ways to think about identity. But they have both failed in the marketplace where the X.509 certificates have succeeded. The level of identity assurance that they provide may be less than signed PGP keys, but people use them.

Self-signed X.509 certificates can be used to provide a lower level of assurance in a way that is still simple enough for the average user to manage, and that is what's needed here.

Had we not pursued a mathematically perfect solution at the beginning, we might have ended up with software that people would actually use to verify the integrity of their software. The best proved itself to be the enemy of the good. In fact, it was the simple, convenient solution that caught the OpenSSH Trojan: FreeBSD's MD5 checksum verification picked it up before anyone noticed it via a mismatched PGP signature.

The Cypherpunk Paradox
This is, in a very substantial way, the end of the Cypherpunk dream of security through mathematics. The technology will fail us if we rely on it for absolute truth, but it can provide a provisional basis for interaction with others.

It's been a long time coming. Why does FreeBSD's "ports" system checks MD5 checksums instead of PGP signatures? One answer is the desire to keep as few tools as possible in the base operating system. To add GNU Privacy Guard or another signature-checking tool to the base operating system will always be controversial to software purists who want to keep Unix just like it was when they first logged onto a PDP/11 in 1979.

Another answer is that cypherpunk sentiment against a hierarchical X.509-style public-key infrastructure has left us without a meaningful way to validate public keys as belonging to a particular individual or group.

The open-source community is showing signs of growing up in this regard: current development releases of the Mutt mail client support S/MIME (X.509) signatures in addition to the PGP/MIME signatures that it has supported for more than four years.

That's a good start. The fact is, we need a universal standard for identity certificates and cryptographic signatures, wherein ease of use and understanding is as important as the technical assurance, and which can be applied to software verification as easily as MD5 checksums are today. A perfect but complicated standard like PGP is of less use than a partial solution which people actually use. Until we accept this, can we expect Dad to trust us with the keys to the car?

SecurityFocus columnist Jon Lasser is the author of Think Unix (2000, Que), an introduction to Linux and Unix for power users. Jon has been involved with Linux and Unix since 1993 and is project coordinator for Bastille Linux, a security hardening package for various Linux distributions. He is a computer security consultant in Baltimore, MD.