Re: Package management unsafe?
On Sat, 2008-07-12 at 23:13 +0000, Joe Smith wrote:
> Andrei Popescu <andreimpopescu <at> gmail.com> writes:
> > How about distributing the Release files *only* from a trusted server?
> The other attack I mentioned (the attack of attempting to exploit a flaw in any
> client that requests a security update) cannot be fixed in the general case,
> except by clients using a trusted server, or a trusted proxy that does not
> reveal the true requesting system's IP.
> Stable is safe because the security servers are trusted. Users of testing or sid
> should choose servers they trust or some form of trusted proxy.
Stable is safe... as long as there's no man-in-the middle attack (e.g
like a public wireless access-point with a transparent http proxy, if
it's used over a long period of time).
If we also consider the fact that the computer local time might be wrong
(hwclock bug + a ntp man-in-the-middle...), re-signing the files doesn't
help either [in this very specific case].
One costly solution would be to get the client the send a challenge to a
trusted server, which would respond by gpg-signed the challenge + the
checksum of current .Release file.