"Brian May" <email@example.com> wrote in message [🔎] 487952EB.firstname.lastname@example.org">news:[🔎] 487952EB.email@example.com...
Joe Smith wrote:However, if the security updates come from trusted security mirrors rather than a general mirror, that attack would fail too. So with the exception of Sid or Testing users that do not use the testing-security system to receive securityIt would still be possible to mount this attack if the attacker can intercept packets on the way to the official trusted security mirror and redirect them (e.g. transparent proxy) to an older copy of the mirror.updates, Debian really is not terribly vulnerable to this.
Well that is true. It is however, more difficult to pull off than the get-an-offical-mirror-and-run-a-replay-attack described in the article.
Anybody could do what is described in the article with little difficulty. It is far more difficult to set-up packet interception.
Use of https on the security mirror should virtually elimate the Man-in-the-middle risk.
I think that would make stable imune to security replay attacks.