Discussion:
Update Virus Definitions Using SSL
s***@accenture.com
2010-02-15 12:54:03 UTC
Permalink
Hi,

I was wondering if there is a way to connect to the Update Servers (not mirrors) using SSL/HTTPS instead of standard HTTP. I couldn't find any information regarding that so far. Has anyone tried that before or knows how it can be configured?

By the way, I'm running the software on Solaris.

Thanks,

Sokratis



This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Jon Bendtsen
2010-02-15 13:32:29 UTC
Permalink
Post by s***@accenture.com
Hi,
I was wondering if there is a way to connect to the Update Servers (not mirrors) using SSL/HTTPS instead of standard HTTP. I couldn't find any information regarding that so far. Has anyone tried that before or knows how it can be configured?
Why do you want to do that?
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Török Edwin
2010-02-15 13:34:17 UTC
Permalink
Post by s***@accenture.com
Hi,
I was wondering if there is a way to connect to the Update Servers (not mirrors) using SSL/HTTPS instead of standard HTTP.
That would be a waste of resources on the mirrors.
Post by s***@accenture.com
I couldn't find any information regarding that so far. Has anyone tried that before or knows how it can be configured?
The databases, and updates are digitally signed, so you don't need
SSL/HTTPS.
Freshclam and libclamav check the digital signatures when loading the
databases.

Best regards,
--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Matus UHLAR - fantomas
2010-02-15 13:45:35 UTC
Permalink
Post by Török Edwin
Post by s***@accenture.com
I was wondering if there is a way to connect to the Update Servers (not
mirrors) using SSL/HTTPS instead of standard HTTP.
The databases, and updates are digitally signed, so you don't need
SSL/HTTPS.
Freshclam and libclamav check the digital signatures when loading the
databases.
hmmm, signed by whom? And where are public keys stored? How are 3rd party
databases checked?
--
Matus UHLAR - fantomas, ***@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
LSD will make your ECS screen display 16.7 million colors
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Török Edwin
2010-02-15 15:09:24 UTC
Permalink
Post by Matus UHLAR - fantomas
Post by Török Edwin
Post by s***@accenture.com
I was wondering if there is a way to connect to the Update Servers (not
mirrors) using SSL/HTTPS instead of standard HTTP.
The databases, and updates are digitally signed, so you don't need
SSL/HTTPS.
Freshclam and libclamav check the digital signatures when loading the
databases.
hmmm, signed by whom? And where are public keys stored?
CVDs are signed prior to publishing, and pushing to the mirrors.
The public key is hardcoded in libclamav.

You can verify the signature using sigtool manually:
$ sigtool/sigtool --info daily.cvd
File: daily.cvd
Build time: 14 Feb 2010 20:31 -0500
Version: 10392
Signatures: 168531
Functionality level: 44
Builder: acab
MD5: d6ab08bc2271847d06ebcfe95a2b6bfc
Digital signature:
lamlVM3R8gXfEFFGQTQ0ptug07l6p1zkr40HyRgi9/g1rvIiBTP7I1N/XDwsMzEb9QwKv0HkMQyRneCYc7VE5PU8Eysg1kp3LM/AnqpyfTGcZ2NKfFaUPOuaRkfjSF8z7iExR1bY3miLzKlVmT/ZM/7Dr4ofa3NOpM6cXqr1Gyj
Verification OK.

If the database is tampered with you will get something like this (for
example if one byte is wrong):
ile: daily.cvd
Build time: 14 Feb 2010 20:31 -0500
Version: 10392
Signatures: 168531
Functionality level: 44
Builder: acab
MD5: d6ab08bc2271847d06ebcfe95a2b6bfc
Digital signature:
lamlVM3R8gXfEFFGQTQ0ptug07l6p1zkr40HyRgi9/g1rvIiBTP7I1N/XDwsMzEb9QwKv0HkMQyRneCYc7VE5PU8Eysg1kp3LM/AnqpyfTGcZ2NKfFaUPOuaRkfjSF8z7iExR1bY3miLzKlVmT/ZM/7Dr4ofa3NOpM6cXqr1Gyj
ERROR: cvdinfo: Verification: Can't verify database integrity

cdiff files (incremental updates) have a digital signature that is
checked by freshclam too.
Also 0.96 will check the SHA-256 hash of each file in the .cvd/.cld, and
these hashes are signed similarly to .cdiffs.

So downloading via HTTPS/SSL won't give you additional security.
In fact if freshclam wasn't able to check the digital signature, then
even if you downloaded over HTTPS you wouldn't know
if the databases have been tampered with or not.
You only know that you get what is on the mirror, and not that the
mirror has the same database that was published.
Post by Matus UHLAR - fantomas
How are 3rd party
databases checked?
They are not checked by freshclam (yet). Some 3rdparty update scripts
check them using gpg signatures I think.

Best regards,
--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Continue reading on narkive:
Loading...