Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Apache Backdoor |
|
| Author |
|
Tonyz
Joined: 20 Nov 2006
Posts: 13
|
 Posted: Mon 20 Nov '06 0:47 Post subject: Apache Backdoor |
 |
|
I have downloaded the MSI from the Apache site and have got the MD5 signature.
As long as the download matches the MD5 signature would I be reasonably safe in assuming that I wouldn't have to worry about a backdoor? If not, does anyone know how I can check for that?
I have also downloaded PHP and the MD5 signature for that. I guess the same thing applies there too?
Regards,
Tony |
|
| Back to top |
|
Brian
Joined: 21 Oct 2005
Posts: 209
Location: Puyallup, WA USA
|
| Posted: Mon 20 Nov '06 0:52 Post subject: |
|
|
To me backdoor suggests a security breach that could more likely apply to a flaw in the architecture of the server (in this case Apache).
A backdoor suggests a way of defeating the inherent security, to bypass it. By matching up the checksum values, you are ensuring that you are getting the files as you should, valid and correct from the source. This does not in any way guarantee that there is not a flaw in the software that in turn could be a backdoor. |
|
| Back to top |
|
Tonyz
Joined: 20 Nov 2006
Posts: 13
|
| Posted: Mon 20 Nov '06 5:23 Post subject: |
|
|
| Brian wrote: | To me backdoor suggests a security breach that could more likely apply to a flaw in the architecture of the server (in this case Apache).
A backdoor suggests a way of defeating the inherent security, to bypass it. |
I was actually thinking about the situation where you get the Apache code but someone has built a backdoor into Apache to let external access be achieved.
However, it sounds as though, as long as the MD5 signatures match it is probably unlikely that someone would have built a deliberate backdoor into Apache. |
|
| Back to top |
|
Brian
Joined: 21 Oct 2005
Posts: 209
Location: Puyallup, WA USA
|
| Posted: Mon 20 Nov '06 19:51 Post subject: |
|
|
I actually was thinking of that very same scenerio. Even with the verfied download, how do we really know there is not a backdoor?
My answer in this case: open source
In other instances, such as with Microsoft's IIs, Server NOS's, and so on, I say the key word is: proprietary
But the thing is, there really is not absolute way to be sure there is no back door unless you comb through the source, ensure to your satisfaction there is no back door, then compile it into your own binaries, and run them.
Short of that, you are certainly going to be safe running the checksum verified downloads you find here that are provided by Steffen, who compiles the binaries himself, as well as at the official Apache website. Get the sources anywhere else for Apache, you should be sure you want to trust them. I mean in theory you could add a backdoor, re-do the md5 Checksum, then provide the download with a valid checksum with a back door...
...oooops, now I am seeing black helicopters out my window. |
|
| Back to top |
|
Jorge
Joined: 12 Mar 2006
Posts: 376
Location: Belgium
|
| Posted: Mon 20 Nov '06 21:14 Post subject: |
|
|
| Brian wrote: | | ...oooops, now I am seeing black helicopters out my window. |
Last time i saw them I had to change my name, sex and learn a new language 
Back on a serious note it all depends on who you trust... if you trust steffen you need not to worry, if you don't... well you have a problem. |
|
| Back to top |
|
|
|
|
|
|
