Page 1 of 2 1 2 LastLast
Results 1 to 10 of 11
  1. #1
    ROG Junior Member Array
    Join Date
    Mar 2017
    Reputation
    10
    Posts
    4

    Digital signature on BIOS download

    Greetings,

    I want to update the BIOS to my motherboard but I'm concerned by several things with regards to trusting the source of the BIOS file:

    1) The BIOS download from the Asus website is over http
    2) The BIOS download file is not digitally signed


    Due to the importance of the BIOS, it seems negligent to not have these two issues resolved. When can we expect these two issues to be fixed?

  2. #2
    ROG Guru: Orange Belt Array R5Eandme PC Specs
    R5Eandme PC Specs
    MotherboardRampage V Extreme/U3.1
    Processori7-5930K
    Memory (part number)Corsair Vengeance LPX CMK64GX4M8A2400C14
    Graphics Card #1MSI Geforce GTX 980Ti
    Sound CardAsus Essence STX II
    MonitorAcer B286HK 4K UHD
    Storage #1Samsung 960 Pro 1TB NVMe
    Storage #2Samsung 850 Pro 1TB SSD
    CPU CoolerNoctua NH-D15S
    CaseCooler Master HAF 932
    Power SupplyThermaltake TPG-1200M-F 1200W
    Keyboard Corsair K70 Cherry MX Brown
    Mouse Asus Sica
    Mouse Pad "And God said ... <Maxwell's equations> ... and there was light."
    OS Win 10 x64 Pro
    Accessory #1 Asus USB 3.1 A, StarTech USB 3.1 C PCIe adapters
    Accessory #2 Syba 1394A/B Firewire PCIe adapter PEX30009
    Accessory #3 Asus OC Panel I
    R5Eandme's Avatar
    Join Date
    Jun 2017
    Reputation
    58
    Posts
    263

    I notice more and more these days that MD5 or SHA256 hashes are provided so you can verify that your downloaded file has not been tampered with. I assume that the tampering would occur on the source website? So I can see the usefulness of providing a signature so we can know we've downloaded an authentic file. Without us users manually verifying the authenticity of a downloaded BIOS file, I am not sure how that first trusted step in the boot process is protected. Maybe the downloaded file has a signature that is verified by the motherboard before it lets the system boot? Maybe an expert can chime in.

    Your other comment about HTTP: without the encryption of HTTPS, a hacker can use packet sniffing of the BIOS files as they download. But anyone can go to the ASUS website and download the BIOS files for themselves. What extra protection is there from HTTPS in this case?

  3. #3
    ROG Junior Member Array
    Join Date
    Mar 2017
    Reputation
    10
    Posts
    4

    Quote Originally Posted by R5Eandme View Post
    I notice more and more these days that MD5 or SHA256 hashes are provided so you can verify that your downloaded file has not been tampered with. I assume that the tampering would occur on the source website? So I can see the usefulness of providing a signature so we can know we've downloaded an authentic file. Without us users manually verifying the authenticity of a downloaded BIOS file, I am not sure how that first trusted step in the boot process is protected. Maybe the downloaded file has a signature that is verified by the motherboard before it lets the system boot? Maybe an expert can chime in.

    Your other comment about HTTP: without the encryption of HTTPS, a hacker can use packet sniffing of the BIOS files as they download. But anyone can go to the ASUS website and download the BIOS files for themselves. What extra protection is there from HTTPS in this case?
    HTTPS stops man in the middle attacks. A digital signature will be better than just a SHA256 hash if the public key of the signer is reasonably trusted to be authentic as a provided SHA256 hash could theoretically be replaced (via hacking) with the SHA256 hash of the modified bios.

  4. #4
    ROG Guru: Orange Belt Array R5Eandme PC Specs
    R5Eandme PC Specs
    MotherboardRampage V Extreme/U3.1
    Processori7-5930K
    Memory (part number)Corsair Vengeance LPX CMK64GX4M8A2400C14
    Graphics Card #1MSI Geforce GTX 980Ti
    Sound CardAsus Essence STX II
    MonitorAcer B286HK 4K UHD
    Storage #1Samsung 960 Pro 1TB NVMe
    Storage #2Samsung 850 Pro 1TB SSD
    CPU CoolerNoctua NH-D15S
    CaseCooler Master HAF 932
    Power SupplyThermaltake TPG-1200M-F 1200W
    Keyboard Corsair K70 Cherry MX Brown
    Mouse Asus Sica
    Mouse Pad "And God said ... <Maxwell's equations> ... and there was light."
    OS Win 10 x64 Pro
    Accessory #1 Asus USB 3.1 A, StarTech USB 3.1 C PCIe adapters
    Accessory #2 Syba 1394A/B Firewire PCIe adapter PEX30009
    Accessory #3 Asus OC Panel I
    R5Eandme's Avatar
    Join Date
    Jun 2017
    Reputation
    58
    Posts
    263

    Quote Originally Posted by semajy View Post
    HTTPS stops man in the middle attacks. A digital signature will be better than just a SHA256 hash if the public key of the signer is reasonably trusted to be authentic as a provided SHA256 hash could theoretically be replaced (via hacking) with the SHA256 hash of the modified bios.
    What you say about SHA-256 makes sense. I've even seen a hash for users to verify the hash for a file they downloaded! I guess a private key for a signature is safer. Maybe the ASUS BIOS file downloads contain a digital signature already, I don't know.

    Concerning the man in the middle attack: How does that work? Would a hacker intercept an unencrypted (HTTP) BIOS download and replace it with a malicious version "on the fly", so you receive a bad BIOS file without knowing it? The hacker would have to somehow get set up ahead of time to intercept web traffic? I know that most websites have gone to HTTPS now, so that traffic is encrypted. Does that stop man in the middle attacks?
    Last edited by R5Eandme; 04-07-2018 at 02:48 PM.

  5. #5
    ROG Enthusiast Array Sigtran PC Specs
    Sigtran PC Specs
    MotherboardAsus Crosshair VI Hero
    ProcessorRyzen 9 3900x
    Memory (part number)F4-3200C14D-16GVK @ 3466MHz
    Graphics Card #1Gigabyte GTX1080ti Gaming OC
    Monitor24" Dell Ultrasharp 2407WFP-HC
    Storage #1Samsung 960 EVO 500GB
    Storage #2Samsung 860 EVO 1TB
    CPU CoolerNoctua NH-D14
    CaseCoolerMaster 690
    Power SupplyCorsair HX750
    Keyboard Dell SK-8115
    Mouse Logitech M705
    Headset/Speakers Logitech X-540
    OS Win10 X64 Home
    Accessory #1 Logitech C930e webcam
    Sigtran's Avatar
    Join Date
    Sep 2017
    Reputation
    27
    Posts
    60

    Quote Originally Posted by R5Eandme View Post
    I know that most websites have gone to HTTPS now, so that traffic is encrypted. Does that stop man in the middle attacks?
    Yes, that is one of the main points of https, since traffic is encrypted, there is no easy and quick way to "attack it in the middle". So if the website is genuine (i.e. not hacked), you can be reasonably sure that the content is also genuine.
    Last edited by Sigtran; 04-08-2018 at 07:17 AM.

  6. #6
    ROG Guru: Orange Belt Array R5Eandme PC Specs
    R5Eandme PC Specs
    MotherboardRampage V Extreme/U3.1
    Processori7-5930K
    Memory (part number)Corsair Vengeance LPX CMK64GX4M8A2400C14
    Graphics Card #1MSI Geforce GTX 980Ti
    Sound CardAsus Essence STX II
    MonitorAcer B286HK 4K UHD
    Storage #1Samsung 960 Pro 1TB NVMe
    Storage #2Samsung 850 Pro 1TB SSD
    CPU CoolerNoctua NH-D15S
    CaseCooler Master HAF 932
    Power SupplyThermaltake TPG-1200M-F 1200W
    Keyboard Corsair K70 Cherry MX Brown
    Mouse Asus Sica
    Mouse Pad "And God said ... <Maxwell's equations> ... and there was light."
    OS Win 10 x64 Pro
    Accessory #1 Asus USB 3.1 A, StarTech USB 3.1 C PCIe adapters
    Accessory #2 Syba 1394A/B Firewire PCIe adapter PEX30009
    Accessory #3 Asus OC Panel I
    R5Eandme's Avatar
    Join Date
    Jun 2017
    Reputation
    58
    Posts
    263

    Quote Originally Posted by Sigtran View Post
    Yes, that is one of the main points of https, since traffic is encrypted, there is no easy and quick way to "attack it in the middle". So if the website is genuine (i.e. not hacked), you can be reasonably sure that the content is also genuine.
    So unless ASUS BIOS downloads are already protected through a digital signature, their download pages should really be using HTTPS protocol like most websites these days. They should probably use HTTPS anyway.

  7. #7
    ROG Enthusiast Array VRBabe81 PC Specs
    VRBabe81 PC Specs
    MotherboardROG Crosshair VI Hero X370
    ProcessorAMD Ryzen 7 1800X
    Memory (part number)F4-3200C14D-16GFX
    Graphics Card #1EVGA GTX 1080 Ti SC2 Hybrid
    Monitor22" LG 1080p
    Storage #1SAMSUNG 850 EVO 500gb
    Storage #2SEAGATE 2TB 7200RPM
    CPU CoolerCORSAIR H100i V2 AIO
    CaseFRACTAL DESIGN DEFINE R5 Titanium
    Power SupplyCORSAIR HX850W 80+ Platinum
    Keyboard MICROSOFT
    Mouse ALIENWARE
    Headset SONY H.ear On MDR-100ABN Pink
    Mouse Pad ALIENWARE
    OS MICROSOFT Windows 10 Pro
    Accessory #1 OCULUS Rift With Touch
    VRBabe81's Avatar
    Join Date
    Jun 2017
    Reputation
    10
    Posts
    66

    What if the user is connected to a VPN? Would that stop it and could a man in the middle attack still happen?

    Sent from my SM-G920F using Tapatalk


  8. #8
    ROG Enthusiast Array Sigtran PC Specs
    Sigtran PC Specs
    MotherboardAsus Crosshair VI Hero
    ProcessorRyzen 9 3900x
    Memory (part number)F4-3200C14D-16GVK @ 3466MHz
    Graphics Card #1Gigabyte GTX1080ti Gaming OC
    Monitor24" Dell Ultrasharp 2407WFP-HC
    Storage #1Samsung 960 EVO 500GB
    Storage #2Samsung 860 EVO 1TB
    CPU CoolerNoctua NH-D14
    CaseCoolerMaster 690
    Power SupplyCorsair HX750
    Keyboard Dell SK-8115
    Mouse Logitech M705
    Headset/Speakers Logitech X-540
    OS Win10 X64 Home
    Accessory #1 Logitech C930e webcam
    Sigtran's Avatar
    Join Date
    Sep 2017
    Reputation
    27
    Posts
    60

    Quote Originally Posted by VRBabe81 View Post
    What if the user is connected to a VPN? Would that stop it and could a man in the middle attack still happen?
    VPN mainly help you from website blocking (if website has some limitation to your country or ISP), protects you from outside attacks (at least in some degree) and protects you from your ISP snooping (but transferring this "privilege" to your VPN provider).

    VPN secures the path from your computer to VPN provider but not to website - simply put VPN is a secure tunnel from your computer to VPN provider who then act as a your proxy to Internet. This opens a question can you 100% trust VPN provider, since it is a new "man in the middle". And if website is not https, there is also same potential weakness for usual "man in the middle" attack on path between VPN provider and website, not to mention a possibility that website could be hacked without you noticing.

    And even website is https and genuine, you are (yet only) reasonable safe - beside now having to trust your VPN provider (instead of your ISP before), there is for example a possibility you having some malware or virus on computer, that could also act as a kind of "man in the middle".

    Conclusion: As in the real world, there is no 100% security&safety on Internet but https a reasonable measure to prevent some important issues that normal http is having. A don't forget to use some good internet security SW - antivirus/antimalware/firewall, even though they are new "man in the middle", but someone you have to decide to trust...
    Last edited by Sigtran; 04-09-2018 at 01:28 PM.

  9. #9
    ROG Guru: Orange Belt Array R5Eandme PC Specs
    R5Eandme PC Specs
    MotherboardRampage V Extreme/U3.1
    Processori7-5930K
    Memory (part number)Corsair Vengeance LPX CMK64GX4M8A2400C14
    Graphics Card #1MSI Geforce GTX 980Ti
    Sound CardAsus Essence STX II
    MonitorAcer B286HK 4K UHD
    Storage #1Samsung 960 Pro 1TB NVMe
    Storage #2Samsung 850 Pro 1TB SSD
    CPU CoolerNoctua NH-D15S
    CaseCooler Master HAF 932
    Power SupplyThermaltake TPG-1200M-F 1200W
    Keyboard Corsair K70 Cherry MX Brown
    Mouse Asus Sica
    Mouse Pad "And God said ... <Maxwell's equations> ... and there was light."
    OS Win 10 x64 Pro
    Accessory #1 Asus USB 3.1 A, StarTech USB 3.1 C PCIe adapters
    Accessory #2 Syba 1394A/B Firewire PCIe adapter PEX30009
    Accessory #3 Asus OC Panel I
    R5Eandme's Avatar
    Join Date
    Jun 2017
    Reputation
    58
    Posts
    263

    Thanks for this clear and informative description of VPN and security in general.

  10. #10
    ROG Enthusiast Array VRBabe81 PC Specs
    VRBabe81 PC Specs
    MotherboardROG Crosshair VI Hero X370
    ProcessorAMD Ryzen 7 1800X
    Memory (part number)F4-3200C14D-16GFX
    Graphics Card #1EVGA GTX 1080 Ti SC2 Hybrid
    Monitor22" LG 1080p
    Storage #1SAMSUNG 850 EVO 500gb
    Storage #2SEAGATE 2TB 7200RPM
    CPU CoolerCORSAIR H100i V2 AIO
    CaseFRACTAL DESIGN DEFINE R5 Titanium
    Power SupplyCORSAIR HX850W 80+ Platinum
    Keyboard MICROSOFT
    Mouse ALIENWARE
    Headset SONY H.ear On MDR-100ABN Pink
    Mouse Pad ALIENWARE
    OS MICROSOFT Windows 10 Pro
    Accessory #1 OCULUS Rift With Touch
    VRBabe81's Avatar
    Join Date
    Jun 2017
    Reputation
    10
    Posts
    66

    Quote Originally Posted by Sigtran View Post
    VPN mainly help you from website blocking (if website has some limitation to your country or ISP), protects you from outside attacks (at least in some degree) and protects you from your ISP snooping (but transferring this "privilege" to your VPN provider).

    VPN secures the path from your computer to VPN provider but not to website - simply put VPN is a secure tunnel from your computer to VPN provider who then act as a your proxy to Internet. This opens a question can you 100% trust VPN provider, since it is a new "man in the middle". And if website is not https, there is also same potential weakness for usual "man in the middle" attack on path between VPN provider and website, not to mention a possibility that website could be hacked without you noticing.

    And even website is https and genuine, you are (yet only) reasonable safe - beside now having to trust your VPN provider (instead of your ISP before), there is for example a possibility you having some malware or virus on computer, that could also act as a kind of "man in the middle".

    Conclusion: As in the real world, there is no 100% security&safety on Internet but https a reasonable measure to prevent some important issues that normal http is having. A don't forget to use some good internet security SW - antivirus/antimalware/firewall, even though they are new "man in the middle", but someone you have to decide to trust...
    Thanks for your advice Sigtran my VPN is nordvpn and they don't do any logging as they say but I don't trust anyone lol.

    Sent from my SM-G920F using Tapatalk


Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •