Asterisk NOW appears to lack a download verification method


#1

There is no apparent method to verify the .iso has not been messed around with via MITM, no gpg keys, not even a https sha2 or 3 hash download.

In 2016 this is simply unacceptable, even for hobbyist software let alone something enterprise grade.


#2

There are hashes available in the download directory for each version of Asterisk.

http://downloads.asterisk.org/pub/telephony/asterisk/

The FreePBX guys have MD5sums of their images available on their download page:


#3

I know that, how do I verify those hashes? Haven’t you heard of an MITM attack?

How can a “Certified Asterisk professional” think that MD5 is a serious hash algorithm in 2016?


#4

MITM is man in the middle, i.e. someone wearing a black hat intercepts the web request and provides their own answers (e.g. with added malware) using the result of a request to the original site as a basis).

It would be more typically used to extract credentials from a requester.

The reference to MD5 in 2016 presumably refers to the fact that cryptographic weaknesses have been found in the algorithm meaning it isn’t as computationally difficult to tweak the hacked download so that it produces the same hash as it was intended that it should be. On the other hand, it is still cryptographically a lot stronger than a CRC or checksum, and is still a good test against non malicious corruption in the download.

Of course the other first principle in security is to do a risk assessment and provide security commensurate with the risk.

Most people will not validate check sums, although they may download under Windows, in which case their virus checker may well checksum it and compare against the values obtained for downloads by other people.

Presumably the OP wants a public key signed hash using SHA256, although how many people vet the list of root certificate providers in their browser, or hand that list in a totally secure way.

I suspect one of the reasons for the lack of even hashes for AsteriskNOW is that the target market isn’t sophisticated enough to make use of them. AsteriskNOW is an instant gratification product.


#5

Insults and snark aside, it would be good if we had a suitable hash posted along with the ISO.

I’ll pass this along to the folks who post the ISO on the download site.


#6

To meet the OP’s requirements, you would need a public key signature of the hash, probably not gpg/pgp as the trust chain may be difficult to complete, or to serve it from an https web site.


#7

Thank you mjordan and david551 :smiley:

We need a non catch-22 verification method, such as a https page with sha2/3 512 hashes on it plus a https page with a WOT signed gpg key ID/fingerprint listed - as david explained simply posting hashes is not enough.

For both Asterisk NOW and all the other downloads including regular asterisk (which also lacks this, and needs it just as badly)

Setting the .iso download server to https only would also increase security and provide protection for (as you said) the casual user.


#8

Any progress on this?

I want to use this distro as it makes it easier to run my phone services in a VM (don’t have to bother with another dist) but the idea that I could receive a contaminated download is no good.

Linux mint got hacked and the .isos on the download server were messed around with - I can’t believe that people think hashes an acceptable method of verification even if they are hosted on another server if you can mess with the .iso you can mess with them too.