Trusting this website

This page's goal is to help you make a decision about whether to trust this website's content.

Trusting contents on the wild wild web is a tricky matter. The content of this page might scare you, but it applies to basically anything you download on the web.

Identity

My name is Virgil Dupras, I live in Quebec, Canada. I'm a professional software developer.

Virgil Dupras' current PGP key

Fingerprint: A1EA 6FFC 0048 E90B 1B90 9DD9 177F E67D B65D 89FE

Trusting Virgil Dupras

This website claims to serve contents authored by "Virgil Dupras", me. The first thing you have to trust is that I have no malicious intent. If you can't trust that, a full code audit is necessary. You'll also have to build everthing from that source you've fully audited, of course.

However, you can reasonably infer that I'm unlikely to have malicious intent. If I live where I claim to live, you know that this is a country with the rule of law. You can also verify that this website has been running for a while. It's likely that if I had had malicious behavior in the past, it would have been detected and I would have been prosecuted for it.

But then again, you can't be sure. This level of trust requires a leap of faith.

Trusting hardcoded.net

This website claims to serve contents authored by "Virgil Dupras". How can you be sure that it's actually him that manages this domain?

First, a WHOIS check is in order. Nothing stops someone from registering a domain name with a false identity, but because doing so is not permitted, it's reasonable to assume that in the case of a domain that has been registered for as long as hardcoded.net, it's likely that the registrant's contact information is valid.

Then, you have to ask yourself if you're really in communication with hardcoded.net. There could be someone intercepting your communication and feeding you false content. To ensure that you communicate with hardcoded.net, you have to use an encrypted channel, that is, HTTPS.

The SSL certificate used by this website is signed by Let's Encrypt, which guarantees that the server you're communicating with is controlled by a person who had access to the server where hardcoded.net points to, and that, in the last 3 months.

That, or you're communicating with someone who compromised hardcoded.net servers and stole its SSL private key.

Trusting the contents

Even if you're communicating with the right server, belonging to a non-malicious "Virgil Dupras", that "Virgil Dupras" doesn't claim to be a security expert. The server he manages is not imprevious to skilled hackers.

If the server is compromised, so is the contents. That you are downloading this contents over SSL isn't going to protect you from malicious code. This is why each download is accompanied by a PGP signature. That signature is made with the key referenced above.

Nothing stops a skilled hacker having compromised this server from replacing the key referenced above with a fake key. But you can trust that the real "Virgil Dupras" will notice if the PGP key gets replaced and will take swift action. Thus, if you import the PGP key now and wait a few days, you can be reasonably sure (if of course the key hasn't changed) that this key belongs to the rightful owner of the server.

Using GPG

As a quick reference, here's how to validate contents of this website:

$ curl https://www.hardcoded.net/virgil-dupras.pgp | gpg --import
$ gpg --edit-key B65D89FE
gpg> list
( make sure that there's only one key in there )
gpg> lsign
( this validates the key locally without affecting the web of trust )
gpg> save
$ curl -O https://download.hardcoded.net/moneyguru-src-2.10.2.tar.gz
$ curl -O https://download.hardcoded.net/moneyguru-src-2.10.2.tar.gz.sig
$ gpg --verify moneyguru-src-2.10.2.tar.gz.sig

Trusting Virgil Dupras' personal computer

A server is much more vulnerable to attacks than a personal computer, which is why I sign packages with PGP. My PGP private key is only present on my personal computer and my backups. Therefore, only someone who managed to access my personal computer, get my PGP private key, sniffed the password, can have a valid signature of those packages with the key referenced above.

I take reasonable precautions to protect my PGP key and the integrity of my personal computer, but I can't say that I take all necessary steps. Yes, I sometimes install and run software that can't be reasonably trusted.

I'm planning on having a more secure setup where my build/deploy machines (where SSH and PGP keys are) are separate from my development environment (where I tend to need many programs installed), but I am not there yet. When I am, I'll revoke this PGP key above and generate a new.

Conclusion

Verifying package signatures is the absolute minimum you should do to keep malicious software at bay. Even this method requires a leap of faith and is not 100% safe, but hey, just by doing this, you'll already do better than the vast, vast majority of people out there.