On Wed, Jun 09, 2004 at 06:44:42AM -0700, Karl Hegbloom wrote: > Now what if instead of http, we used https for access to the Debian > software archives? As I understand it, https would make this sort of > MIM setup impossible. Is that correct? No. > Are there any experts on this > subject out there who can vouch for that? Yes. It was even mentioned in crypto-gram a few months ago. > Can proxied https be > subverted, to where a persons website passwords can be obtained by a > middle man? Yes. We even ship tools to do it: webmitm from dsniff does this. HTTPS is precisely as secure as the method by which you verified the server certificate. When did you last verify the server certificate securely while using https? Ever? Note that the following methods are obviously useless: a) Anything that came preinstalled on the box when you got it b) Anything that you downloaded via an insecure session c) Anything involving verisign -- .''`. ** Debian GNU/Linux ** | Andrew Suffield : :' : http://www.debian.org/ | `. `' | `- -><- |
Attachment:
signature.asc
Description: Digital signature