Fractal OS X Developer Certificate

G

grape

Experienced
Sorry, I posted before I even finished writing the title. It should have said "Fractal's SSL cert" and refers to the following post:

https://forum.fractalaudio.com/threads/os-x-expired-certificate-not-a-problem.131726/

The post says that the expired cert isn't a problem but it actually is. The cert is there to verify that the package came from who it says it came from. In this day and age, it is important to protect your company and yourself and this bit helps. Even if you *think* you downloaded it directly from Fractal's site, it could in fact be malicious.

To improve security, Fractal should really store checksums of there product and post those as well so that the security minded folks can verify that the download is in fact correct. The Checksum info should be served from a separate location than the download to guard against the possibility that someone hacked both the binary and the checksum.

Then at least, if your cert expired, user's can at least have the assurance that the download is "safe".

Expired certs are always a problem. Yes, the workaround is to accept it and move forward but it's not "ok". Stating so encourages a lack of diligence in circumventing the checks that help ward against viruses, spyware etc.

Fractal I love you guys. Don't get me wrong.
 
Last edited:
I made the title better for you.

I think you're over-reacting.

Who validates the contents are from the developer before they run their software? No one? Few for sure. All you do is trust the OS does validation and the OS only cares that _any_ valid developer certificate was used to sign the package contents. So someone malicious, with a valid developer certificate, can still trick you into running malicious software.

Thankfully, SIP ensures privilege escalations exploits on OS X are very, very hard. It isn't enough to even trick someone into give you escalated privs on the system by asking for a password. There are fundamental changes, necessary for hiding and propagating malicious software, that can't be made while the computer is running in non-recovery, every-day-use mode now.
 
Iaresee, I'm not overacting. The lack of awareness and action on both sides leads to the spread of virus, malware, spyware. Apple provided the most passive way that they can help protect users. Circumventing that is bad. I'm not saying that Fractal is up to something malicious. Not at all. But accuracy concerning security statements is important. Expired cert != not a problem. It is absolutely a problem.

It would take one person to compromise the files that are available for download in order to affect pretty much all users. And yes, they could do that with a valid dev cert... but that's a little harder and not circumvented if the checksum is supplied.

With Fractal's statement as is, users are encouraged to just continue and trust that it's ok. It's unnecessarily encouraging bad behavior. Most people don't care about this but for those who understand the danger, at least correct the language and provide a checksum. I'm sure Fractal understands this realm... they protect their firmware with all tools available b/c they don't want it hacked. I'm suggesting that they handle software downloads with the same care.

If the software were to get hacked, at least they can say with confidence that they provided the most accurate information to the user so that they can decide. It's a simple ask... common practice in fact.
 
PS thank you for changing the title for me. I have no idea how I managed to send it while typing an incomplete title... must be my hacked Axe-Edit at work ;0)
 
I’m with Grape on this one. I work cyber security as my day job. By telling users it’s ok to ignore a security warning you are facilitating the same user behavior that leads to most malware infections.
 
I'm with @grape on this one. Infosec people fight a constant battle to educate users. A single instance where the official line is "Ignore the warning" can undo months or years of a security awareness campaign. The consequences of that can extend far beyond the app or OS of the moment.
 
Rex said:
If only that were the answer to security. :)
Click to expand...

It's not. The point is that this is a temporary situation. If you feel uncomfortable, DON'T DO IT. A few more days won't hurt if you are cautious.

I'm in the industry too. Well enough to understand there are risks here. If you feel like you might be compromised (and don't have the requisite protections on your box,), then hold off. Since FAS posted, they are well aware, and are working on it. Posting about it is...annoying...since there is already a thread from them about it.
 
iaressee, downloading over http is also an issue and why I was asking for checksums for better safety. https would be better since (if you trust it) there would be better assurance that the source of the file is in fact Fractal. Anyway, I posted this in the Lounge to express my opinion about a statement from a company that I actually have a vested interest in (as well as the well being of their clients). I knew it would annoy some people but ignoring security concerns that are relatively easy to address is never a good thing. Hopefully this is never an issue but it certainly is at a higher risk without the proper safeguards.

iaresee said:
You download the software over http...
Click to expand...
 
To be fair, if you can compromise the software on a site, you can easily compromise the posted checksum at the same time.... checksuming offers the illusion of safety, at best.
 
grape said:
iaressee, downloading over http is also an issue and why I was asking for checksums for better safety.
Click to expand...
Checksums are only useful if users know how to use them. Those same users how can rationalize about an expired certificate can't do a checksum verification either. They're also easy to update if you want to compromise the software.

Better is detached signature with something like gpg but that's even harder for your run of the mill user to comprehend how to use.

All goes back to my statement: mountains of molehills.
 
Really...

To create a checksum on OSX (similar on other OSes) - this is something that Fractal can do to create an SHA512 checksum:
shasum -a 512 Axe-Edit-OSX-v3p14p3.dmg > Axe-Edit-OSX-v3p14p3.dmg.sha512
Click to expand...

To verify the file after downloading the dmg and the checksum file to the same directory:
shasum -c Axe-Edit-OSX-v3p14p3.dmg.sha512
Click to expand...

It will output:
Axe-Edit-OSX-v3p14p3.dmg: OK
Click to expand...
OR
Axe-Edit-OSX-v3p14p3.dmg: FAILED
shasum: WARNING: 1 computed checksum did NOT match
Click to expand...

This is for people who care. And yes, as I said from the start, the dmg and checksum files need to be isolated as much as possible so they can't both be compromised. For example, it's common for downloads to be pushed to CDNs completely apart from the website and the checksum to be stored on the website.
 
h.c.e. said:
To be fair, if you can compromise the software on a site, you can easily compromise the posted checksum at the same time.... checksuming offers the illusion of safety, at best.
Click to expand...

You didn't read my post...
The Checksum info should be served from a separate location than the download to guard against the possibility that someone hacked both the binary and the checksum.
Click to expand...
 
While I'm not concerned about FAS firmware being verified against a checksum, I do verify a lot of software/firmware checksums as a rule.

This is a great utility for verifying checksums on the Windows platform: MD5_and_SHA_Checksum_Utility
 
You must log in or register to reply here.
Back
Top Bottom