Featured Articles

Trusted Boot (Anti-Evil-Maid, Heads, and PureBoot)
WordPress Multisite on the Darknet (Mercator .onion alias)
Detecting (Malicious) Unicode in GitHub PRs
Introducing BusKill: A Kill Cord for your Laptop
Crowdfunding on Crowd Supply (Review of my experience)
WordPress Profiling with XHProf (Debugging & Optimizing Speed)
Continuous Documentation: Hosting Read the Docs on GitHub Pages (2/2)
Nightmare on Lemmy Street (A Fediverse GDPR Horror Story)
Hardening Guide for phpList
previous arrow
next arrow

3TOFU: Verifying Unsigned Releases

Verifying Unsigned Releases with 3TOFU

This article introduces the concept of “3TOFU” — a harm-reduction process when downloading software that cannot be verified cryptographically.

⚠ NOTE: This article is about harm reduction.

It is dangerous to download and run binaries (or code) whose authenticity you cannot verify (using a cryptographic signature from a key stored offline). However, sometimes we cannot avoid it. If you’re going to proceed with running untrusted code, then following the steps outlined in this guide may reduce your risk.

TOFU

TOFU stands for Trust On First Use. It’s a (often abused) concept of downloading a person or org’s signing key and just blindly trusting it (instead of verifying it).

3TOFU

3TOFU is a process where a user downloads something three times at three different locations. If-and-only-if all three downloads are identical, then you trust it.

Why 3TOFU?

The EFF’s Deep Crack proved DES to be insecure and pushed a switch to 3DES.

During the Crypto Wars of the 1990s, it was illegal to export cryptography from the United States. In 1996, after intense public pressure and legal challenges, the government officially permitted export with the 56-bit DES cipher — which was a known-vulnerable cipher.

But there
. . . → Read More: 3TOFU: Verifying Unsigned Releases