search

NickeManarin / ScreenToGif

🎬 ScreenToGif allows you to record a selected area of your screen, edit and save it as a gif or video.
http://www.screentogif.com
Microsoft Public License
23.52k stars 2.17k forks source link

Hash Checking #560

Open secprentice opened 4 years ago

secprentice commented 4 years ago

Recently a popular Monero wallet site was hacked, the attackers replaced a known trusted binary with a backdoored one to allow crypto theft. The only reason the attack was uncovered because the attackers didnt update the binary hashes on the site.

More on the story here

Would ScreenToGif consider publishing known safe hashes to a key system so we can validate the software we are downloding can be trusted? Infact, is this already being done?

Thank you

NickeManarin commented 4 years ago

Well, ScreenToGif has a code signing certificate in use, I'm not sure if adding the hashes would help much. What do you think?

vatterspun commented 4 years ago

Well, ScreenToGif has a code signing certificate in use, I'm not sure if adding the hashes would help much. What do you think?

It is true that some projects have been attacked and junkware inserted for nefarious purposes, but the best thing you can do for your project is standard good security practices. Use two-factor authentication for login, change your password every 6 months, and just keep an eye on your environment for anything weird. Screentogif isn't exactly used for network penetration testing, so I don't know how many of your users are going to be so careful as to check the hashing function. I guess @secprentice will.

If you decide to go this route for extra safety, a few notes:

  1. If you do post file hashes, you'd want to post them to an independent, 3rd party site unrelated to Github. This is because, if your Github account is hacked, it's not difficult for the attacker to change the hash to the malware-infected version. You could potentially just add it to the end of your "new release" Twitter posts.

  2. If you go this route, use "SHA 256" hashes, which are sort of the standard thanks to sites like VirusTotal. There are other hashing standards, but if you're the sort of person checking hashes for security reasons, you're not going to trust MD5 and SHA-1.

Another option is to generate GPG signatures, which are very difficult to forge, but not in wide use. Even though it's an open standard and has been around for decades, even security personnel I've known won't bother with it. I can't explain why. You can see a bit more about Github and GPG signatures here: https://github.blog/2016-04-05-gpg-signature-verification/ or https://help.github.com/en/github/authenticating-to-github/managing-commit-signature-verification or I can point you to some other sources with additional explanation.

secprentice commented 4 years ago

The signature probably covers it to be honest. Hash checking probs not needed