logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Apache Backdoor
Author
Tonyz



Joined: 20 Nov 2006
Posts: 13

PostPosted: Mon 20 Nov '06 0:47    Post subject: Apache Backdoor Reply with quote

I have downloaded the MSI from the Apache site and have got the MD5 signature.

As long as the download matches the MD5 signature would I be reasonably safe in assuming that I wouldn't have to worry about a backdoor? If not, does anyone know how I can check for that?

I have also downloaded PHP and the MD5 signature for that. I guess the same thing applies there too?

Regards,


Tony
Back to top
Brian



Joined: 21 Oct 2005
Posts: 209
Location: Puyallup, WA USA

PostPosted: Mon 20 Nov '06 0:52    Post subject: Reply with quote

To me backdoor suggests a security breach that could more likely apply to a flaw in the architecture of the server (in this case Apache).

A backdoor suggests a way of defeating the inherent security, to bypass it. By matching up the checksum values, you are ensuring that you are getting the files as you should, valid and correct from the source. This does not in any way guarantee that there is not a flaw in the software that in turn could be a backdoor.
Back to top
Tonyz



Joined: 20 Nov 2006
Posts: 13

PostPosted: Mon 20 Nov '06 5:23    Post subject: Reply with quote

Brian wrote:
To me backdoor suggests a security breach that could more likely apply to a flaw in the architecture of the server (in this case Apache).

A backdoor suggests a way of defeating the inherent security, to bypass it.


I was actually thinking about the situation where you get the Apache code but someone has built a backdoor into Apache to let external access be achieved.

However, it sounds as though, as long as the MD5 signatures match it is probably unlikely that someone would have built a deliberate backdoor into Apache.
Back to top
Brian



Joined: 21 Oct 2005
Posts: 209
Location: Puyallup, WA USA

PostPosted: Mon 20 Nov '06 19:51    Post subject: Reply with quote

I actually was thinking of that very same scenerio. Even with the verfied download, how do we really know there is not a backdoor?

My answer in this case: open source

In other instances, such as with Microsoft's IIs, Server NOS's, and so on, I say the key word is: proprietary

But the thing is, there really is not absolute way to be sure there is no back door unless you comb through the source, ensure to your satisfaction there is no back door, then compile it into your own binaries, and run them.

Short of that, you are certainly going to be safe running the checksum verified downloads you find here that are provided by Steffen, who compiles the binaries himself, as well as at the official Apache website. Get the sources anywhere else for Apache, you should be sure you want to trust them. I mean in theory you could add a backdoor, re-do the md5 Checksum, then provide the download with a valid checksum with a back door...

...oooops, now I am seeing black helicopters out my window.
Back to top
Jorge



Joined: 12 Mar 2006
Posts: 376
Location: Belgium

PostPosted: Mon 20 Nov '06 21:14    Post subject: Reply with quote

Brian wrote:
...oooops, now I am seeing black helicopters out my window.


Last time i saw them I had to change my name, sex and learn a new language Laughing

Back on a serious note it all depends on who you trust... if you trust steffen you need not to worry, if you don't... well you have a problem.
Back to top


Reply to topic   Topic: Apache Backdoor View previous topic :: View next topic
Post new topic   Forum Index -> Apache