How it all started
Reading attack surface by Cory Doctorow I stumbled over a chapter:
Binary transparency is elegant and cool.
So I searched for more references and didn’t find anything up to date, running and simple implementation of it. Having some more time in lockdown I just started implementing it in a way I think it would help my needs. And perhaps other people too.
What is the attack vector
Initially your computer is clean and has no backdoors. Let us just assume this as a starting point. Otherwise you are already lost.
Now you want to get all the fresh updates of existing tools, to get rid of zero day attacks and open faulty bugs. Or you want to install some additional tools and programs to get your important and secret work done.
Normally your OS handles that stuff. It validates downloaded files for checksum and even for valid, cryptographic signatures of packages. But what if the vendor – or someone in between with access to a lot of things- had tempered with that package and gave it a valid signature again?
Ask the masses
You could manually validate each download for valid checksum and signature, but even that will trick you if not comparing to the results of other users.
So this is where binary transparency kicks in. All users downloading the same – and most times unchanged – packages will agree on the same valid checksum. Now you download and get a changed packet. The validation will fail and you get alerted, packet remains uninstalled or unpatched.
Open Data, open trust
Every entry is stored in the central database everyone can access in the background via an open API.
Or you can even add an RSS feed of the recent updates to whatever your tool chain looks like.
Some different approach is the reproducible build, where the user just gets the plain source, compiles by himself and compares the resulting binary with the distributed one.
Which seems too much effort for the end user. Not everyone wants to compile first. And nearly no one is able to proof read the source to be sure it is fine. Perhaps the attack lies in the Makefile? Who knows.
I like the way to distribute data in an unchangeable media, but the effort is high and first you have to collect the right number of users.
So perhaps this will be some addition in the future.
I think it is a misuse to keep too much data in the DNS system. For just looking up a hash of something, a good old plain API call is much better.