Skip to content

Instantly share code, notes, and snippets.

@dstufft

dstufft/threat.md Secret

Created February 2, 2013 22:08
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save dstufft/ed41838e6eab2ea47e1c to your computer and use it in GitHub Desktop.
Save dstufft/ed41838e6eab2ea47e1c to your computer and use it in GitHub Desktop.
Download ZIP
Raw
threat.md

Threat Model

Requirements

  1. Prevent a Man in the Middle between Repository and the End User.
    • DNS Hijack/Spoofing
    • Rewriting a Response
    • SSL Stripping
  2. Prevent a Compromised/Malicious Repository from being used to attack End Users.
    • New versions of a distribution can be uploaded
    • Existing versions can be silently replaced.
  3. Provide a means for a project to protect against lost/stolen keys or a rogue Maintainer.
    • Multiple maintainers can all release a distribution
    • An authorized maintainer might lose their credentials or they might go rogue.

Out of Scope

  1. Verifying the "Safeness" of any particular distribution.
    • Anyone can upload a new project/distribution reviewing each new author or distribution is a lot of burden to put on volunteers.
    • Different definitions of "safe", One distribution's purpose might be to modify the runtime system, if that's what the end user wants is that "unsafe".
  2. Verifying the identity of an author
    • Hard to do in an automated system.
    • Labor intensive to do manually.
    • Possibly impossible to verify the identity of some people (e.g. _why).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment