2006-10-21
AltSci Concepts

Computer Journal

Computer Journal
back
Website Signature Verifier
by Joel R. Voss aka. Javantea
jvoss@altsci.com
jvoss@myuw.net
Nov 13, 2005

Site Sign 0.3 Source [sig]

DESCRIPTION

Sends an e-mail when your site has a cryptographic error. This is good to detect changes, intrusions, and mistakes. There are three levels of testing:

Level 1: Check that remote page concurs with remote signature.
Level 1 ensures that someone has signed the file with a key that we have in our public keyring. Level 1 ensures that if your page is changed, it is because of an intended change and has been signed by the developer. Level 1 is not a perfect guarantee of security since an attacker who is in your public keyring could sign it with their key and Level 1 would pass.

Level 2: Check that the remote page has been signed with the correct key.
Level 2 fills the hole that Level 1 leaves: it ensures that the keyid is the same. If an attacker has the same key ID as you (unlikely), then Level 2 will be attackable.

Level 3: Check that the remote page has been signed with the local key.
Level 3 fills the gap that Level 1 and 2 leave: it ensures that the page has not changed since we updated the local signature. This is more involved than the other levels because it requires you to update the remote server with the signature every time you update the page.

REQUIREMENTS

This program requires Bash, GnuPG, Curl, and Mail. If you get errors saying that -a doesn't exist, you're probably not using bash. call site_sign.sh with bash explicitly to get around this problem.

USAGE

gen_index_sig1.sh is the script that generates the signature for the index file. It is terrifically simple:
gpg -a -b index.html
This creates a detached signature: index.html.asc
To pass Level 3, you need to run:

scp index.html.asc $REMOTE_SERVER:$TESTDIR/index.html.asc.local

Before it works you need to get the public key in your keyring. If you're using the example of altsci.com, simply import jvoss.asc like this: gpg --import jvoss.asc

You will _definitely_ need to edit the first 5 variables in site_sign.sh:

# TESTDIR is the directory to do the testing.
# You need write access.
TESTDIR=/home/jvoss/site_sign

# FILE is the remote file that you wish to test.
FILE=index.html

# SITE is the server that you wish to test.
SITE=http://www.altsci.com

# KEY is the Key ID that you wish to ensure in Level 2.
KEY=1954FED2

# EMAIL is the address that you wish to send an 
# e-mail to when a compromise has been found.
EMAIL=jvoss@altsci.com
NEW IMPLEMENTATIONS

If you're using this for your own server, you'll need to use a key from your own server. You need to export the public key and copy it to the destination server.

# Export the key.
gpg -a --export $KEY > key.asc

# Copy the key to the remote server.
scp key.asc $REMOTE_SERVER

# SSH into to the remote server.
ssh $REMOTE_SERVER

# Import the key.
gpg --import key.asc

If you are interested in developing Website Signature Verifier, feel free to e-mail me.

Mod level: -1 0 1 2 3 4 5

Comments:

Modded: 0
leOWNYBJmELpk
by NjSZuHkGRQzW on 06/26/11
I wanted to spend a mnuite to thank you for this.
Modded: 0
ypDgRpxYUzuzg
by mLAuqqmSgmi on 08/09/11
I'm impressed! You've managed the almost imposisble.
Modded: 0
XMsJRIyZcAFoLLqmloA
by TepcEwhbHoI on 08/09/11
Holy Toledo, so glad I cilkecd on this site first!
Modded: 0
JbcyksDnyQRwwfFORc
by CQMpnFDWekxZhnbBchG on 08/09/11
That's way the bestest anwesr so far!
Modded: 0
oZWXMpsIyEDIeiwkBV
by wJPUSkAQNn on 08/09/11
This is way more helpful than anything else I've looekd at.
Modded: 0
fkGFrNTraWsJYifnUp
by fHXVYwwdublFXa on 08/09/11
Dude, right on there borhter.
Modded: 0
VQdARBPvrqPgJ
by NGxeqdbZHDJpWxYzioN on 08/09/11
Now that's sbtlue! Great to hear from you.
Modded: 0
xiYEcoaDFM
by ZvGTxHTJZOFFziWM on 08/10/11
No more s***. All posts of this quailty from now on
Modded: 0
mxYhpxpEBSiAVeXS
by ubsYwDzuqbUhEE on 08/10/11
Your arctlie perfectly shows what I needed to know, thanks!
Modded: 0
yhJgVxLYZNnwyGODRkf
by AoWuCAEYBAtWXm on 08/10/11
I'm really into it, tahkns for this great stuff!
Modded: 0
ROlHixEbqJOBrjd
by IYnMbiGYETqqmLjLn on 08/10/11
Posts like this brighten up my day. Thanks for tkiang the time.
Modded: 0
WQGaHqmECUncQJDYvn
by wYtKZMPg on 08/10/11
Thanky Thanky for all this good ifnoramtoin!
Modded: 0
PEgdVWgeLXat
by thetTUWCB on 01/03/12
That takes us up to the next level. Great potisng.
Modded: 0
EhQuQBvRzk
by ItpwnZAdwiHe on 01/03/12
It's alawys a pleasure to hear from someone with expertise.
Modded: 0
nRRXtnYofQuqMS
by URBUBitgIMagnGxs on 01/03/12
Haha, shuoldn't you be charging for that kind of knowledge?!
Modded: 0
gxObCCdcDCrwJgiaXKy
by oywSOGLEvqt on 01/04/12
Thanks for contributing. It's helped me udenrtsnad the issues.
Modded: 0
NoZhGoVUUUQq
by HlGKGOJOnkpERTFrUGO on 07/21/12
ohai TheSkorm. I'd rather shit a brick than deal with your nasty gpg key. Kthxbai. Can haz irc.But sesrouily, I haven't seen you on much, and I'm on when it's 22:00-06:00 hours a lot so you have no excuse bub.Run spell check on your posts, it's bare not bear, unless you're into stuffed animals and are 6, then get with the program, you dolt!
Modded: 0
NgWkqTkuLlHBogy
by ODcxwUTLw on 07/22/12
If you checkout Dropbox’s Linux dwnalood page, you will see that Debian packages are provided. Up to a few days ago, they only provided packages for Ubuntu and Fedora. Read more here
Post a comment
Your Name: Login

Subject:

Comment:

RSS Feed
Home | Login | Others