[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: https for apt to prevent man in middle transparent proxy mirror attacks?

On Wed, Jun 09, 2004 at 06:44:42AM -0700, Karl Hegbloom wrote:
> Now what if instead of http, we used https for access to the Debian
> software archives?  As I understand it, https would make this sort of
> MIM setup impossible.  Is that correct?


> Are there any experts on this
> subject out there who can vouch for that?

Yes. It was even mentioned in crypto-gram a few months ago.

> Can proxied https be
> subverted, to where a persons website passwords can be obtained by a
> middle man?

Yes. We even ship tools to do it: webmitm from dsniff does this.

HTTPS is precisely as secure as the method by which you verified the
server certificate. When did you last verify the server certificate
securely while using https? Ever? Note that the following methods are
obviously useless:

a) Anything that came preinstalled on the box when you got it
b) Anything that you downloaded via an insecure session
c) Anything involving verisign

  .''`.  ** Debian GNU/Linux ** | Andrew Suffield
 : :' :  http://www.debian.org/ |
 `. `'                          |
   `-             -><-          |

Attachment: signature.asc
Description: Digital signature

Reply to: