Featured Articles

WordPress Profiling with XHProf (Debugging & Optimizing Speed)
Crowdfunding on Crowd Supply (Review of my experience)
Trusted Boot (Anti-Evil-Maid, Heads, and PureBoot)
WordPress Multisite on the Darknet (Mercator .onion alias)
Nightmare on Lemmy Street (A Fediverse GDPR Horror Story)
Detecting (Malicious) Unicode in GitHub PRs
Continuous Documentation: Hosting Read the Docs on GitHub Pages (2/2)
Hardening Guide for phpList
Introducing BusKill: A Kill Cord for your Laptop
previous arrow
next arrow

3TOFU: Verifying Unsigned Releases

Verifying Unsigned Releases with 3TOFU

This article introduces the concept of “3TOFU” — a harm-reduction process when downloading software that cannot be verified cryptographically.

⚠ NOTE: This article is about harm reduction.

It is dangerous to download and run binaries (or code) whose authenticity you cannot verify (using a cryptographic signature from a key stored offline). However, sometimes we cannot avoid it. If you’re going to proceed with running untrusted code, then following the steps outlined in this guide may reduce your risk.

TOFU

TOFU stands for Trust On First Use. It’s a (often abused) concept of downloading a person or org’s signing key and just blindly trusting it (instead of verifying it).

3TOFU

3TOFU is a process where a user downloads something three times at three different locations. If-and-only-if all three downloads are identical, then you trust it.

Why 3TOFU?

The EFF’s Deep Crack proved DES to be insecure and pushed a switch to 3DES.

During the Crypto Wars of the 1990s, it was illegal to export cryptography from the United States. In 1996, after intense public pressure and legal challenges, the government officially permitted export with the 56-bit DES cipher — which was a known-vulnerable cipher.

But there
. . . → Read More: 3TOFU: Verifying Unsigned Releases

Let’s Encrypt!

Finally, this website is (only) accessible over https!

Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael

tech.michaelaltfield.net/