Does quicklisp not perform any verification of downloads? - quicklisp

Does quicklisp not perform any verification of downloads? Skimming the source code I see no indication that it does any checksumming or cryptographic verification and it appears to download everything over http.

Right on both counts. It is not good. I hope to fix it.

Related

How does FTP work

I want to make my own ftp server software. I know, there are many ftp servers ready to install that have many features, but I still want to make my own, cause I can customize it and make it the way I want. Also, I find it fun to code, and I would rather make my own FTP server instead of downloading one that is ready to use if I have time. The problem is I can't find any information on how the protocol works and stuff like that. I would appreciate it if someone could explain how the protocol works or at least send me to a page that has useful information. Thanks!
If you are curious about beeing downvoted, here the explanation:
When planning a homebrew ftp program, it is a good point to google about FTP. Soon you will find RFC`S (that is "Request For Comment"), where things like the FTP protocol are described.
Thats a good starting point.
Then, when you have troubles with specific points, come back, show your code here, and ask for help.

What is the point of maven's OpenPGP signatures if anyone can create and upload any keys?

Sonatype requires the (non-SNAPSHOT version) artifacts to be GPG-signed; the public OpenPGP keys should be uploaded to a (MIT) key server.
But anyone can create any OpenPGP key with any name an e-mail and upload them to the key server. There is (as far as I know; or am I wrong?) no automatic mechanism in place to associate a particular software project/library with a particular public key. Sure, if anyone wants to check the authenticity of the artifacts, one can always request the public key from the software authors, or perhaps the key is already published somewhere (in a way that associates it with the particular software project); but since this can not be done automatically, hardly anyone ever does it.
So it seems that the whole OpenPGP-signing procedure, also by being quite technical and time-consuming, serves more to instill a false sense of security than actually providing much security to the average user.
So shouldn't there be an automatic/streamlined way to associate software projects with OpenPGP keys to make the whole thing actually secure?
Applying OpenPGP signatures allows others to verify authorship through the web of trust. As this indeed is a rather complicated approach with a rather steep learning curve, this is not enforced by default.
Sander Mak wrote an excellent introduction about verification of OpenPGP signatures in Maven.. Sadly, he does not show a better way for performing automatic verification but using commercial software as Maven Central proxy:
Automatic verification?
By now, you must be thinking 'that is an awful lot of work just to verify a single dependency'. And you're absolutely right. Applications typically use many dependencies, and checking them all by hand quickly becomes tedious. In my opinion, there is a huge opportunity for Maven-based build tools to support automatic PGP signature verification. Until that is the case though, you can also use Sonatype's Nexus repository manager as a proxy to Maven Central. It can automatically check the PGP signatures for proxied artifacts and refuse to serve them when the signature check fails. Unfortunately, this is only possible using the commercial version Nexus Pro, not with the open source version.
I recently came across a rather new project, the Verify PGP signatures plugin (code on GitHub), which is a Maven artifact to verify OpenPGP signatures of other artifacts and enables you to whitelist keys allowed to sign given artifacts.

Extracting HTTPS packets before encryption

Say we have a Windows application, which sends some packets over HTTPS.
We need to extract the content of this packets (unencrypted of course).
There is no way to get hands on server private certificate and MitM attack doesn't work (some MitM defense is used by this application).
So, decryption seems to be off the table.
The only choice (I suppose) is to extract these packets from the application before they get encrypted.
Application is well protected, it has no dependency on OpenSSL DLLs. However, we have a certain feeling that it uses OpenSSL (but, statically linked, may be OpenSSL source was even modified before compiling/linking).
Hooking a call to OpenSSL functions (like ssl_write()) is not simple, because the application's executable is packed and obfuscated. It also has a debugging protection, but a stealth debugger, which avoid this defense, is already found.
So, we can debug this application. However, the code, as seen during debugging, is a complete mess (obfuscated).
Even the system DLLs, being loaded by this application, are completely messed. Here is an example of how the send() function from WS2_32.dll looks like during debugging of this application:
http://s2.postimg.org/pjzaipx0p/image.png
For reference, here is how it looks like from normal (unprotected) application:
http://s21.postimg.org/3kzntkn93/image.png
So, it's very hard to understand how the function arguments are passed, moreover it looks like they can be passed via different ways (not sure, but looks so according debugging experiments).
This seems to be a quite common task, since there are many Windows applications which use HTTPS and statically linked OpenSSL.
Hopefully somebody have such experience and can share it.

In need of a practical certificate tutorial/overview

Can anyone recommend me an overview about certificate management? I'm a big "learn from Wikipedia" type of guy but the relevant data there is general information on public-key cryptography, and I'm looking to map that to practical knowledge about how certs are used (web browsing, exchange of business messages, etc.)
I don't need super-detailed information at this point, but I'm looking for a general overview about things like:
File types one would expect to see, and what kind of information they contain
How certs are organized and "chained"
What certs are used for - I generally understand the basics like signing and encryption, but I know they're used for a lot more than that. For example, how are certs used in web browsing or (to validate a site), or HTTPS (to secure transmission)?
I'm a Windows guy, so information about the way certs are organized and used in Windows (the cert store) would be helpful as well.
Thanks!

What to use Windows CardSpace for?

I'm doing some funky authentication work (and yes, I know, open-id is awesome, but then again my open-id doesn't work right at this moment!).
Stumbling across Windows CardSpace I was wondering if anyone has used this in a real product-system. If you have used it, what were the pros and cons for you? And how can i use it in my open-id?
Umm no you don't; you can accept information cards on a web site using a cheap and cheerful certificate (but not self signed) or no certificate at all.
And yes, I've used it as part of a production system which grew out of a proof of concept I did at Microsoft.
Cons: If you don't have an EV SSL certificate you get warnings. The code for parsing a card is incomplete at best (you have to hack it around for no-SSL), you have to explain to users what one is.
Pros: Well that's more interesting; I was using managed cards and issuing them and then having 3rd parties use those to check claims; but for self issued cards; well, it's stronger than username password and doesn't have the same vulnerabilities OpenID has.

Resources