Re: Study: Attacks on package managers (inclusing apt)
On Thu, Jul 17, 2008 at 11:30:12AM -0400, Micah Anderson wrote:
Although PGP-signed Release file prevent tampering with files, the
attack doesn't require tampering with files or tampering with signed
release files. If I were to MitM security.debian.org, I could provide
an outdated (yet properly signed) mirror of the security packages to
you. I would simply supply, via a MitM, a mirror that was not updated,
so that the packages you were getting were valid and signed. They just
are out-dated, so that you would not receive critical security
Sure. Luckily we have multiple channels by which information about
security updates is distributed, so people will know if they are missing
updates. Note that you will have to MITM multiple servers as
security.debian.org is a round robin, and any update of the Packages
will invalidate older versions.
Following on that attack is the fact that its easy to join the mirror
network and once you are in, you can do the same thing as above and
keep your mirror a day or four out of date, so that people who use
your mirror aren't getting updates for issues that enter through the
normal channels. You also have a list of IPs that use your mirror that
don't have these updates.
It is not easy to become a security mirror. Becoming a non-security
mirror doesn't lead to obviously interesting attack. Unless you're
talking about people tracking unstable, but in my experience people
tracking unstable notice if a day passes without updates...