Re: Study: Attacks on package managers (inclusing apt)
Michael Stone <firstname.lastname@example.org> writes:
> On Thu, Jul 17, 2008 at 11:30:12AM -0400, Micah Anderson wrote:
>>Although PGP-signed Release file prevent tampering with files, the
>>attack doesn't require tampering with files or tampering with signed
>>release files. If I were to MitM security.debian.org, I could provide
>>an outdated (yet properly signed) mirror of the security packages to
>>you. I would simply supply, via a MitM, a mirror that was not updated,
>>so that the packages you were getting were valid and signed. They just
>>are out-dated, so that you would not receive critical security
> Sure. Luckily we have multiple channels by which information about
> security updates is distributed, so people will know if they are
> missing updates. Note that you will have to MITM multiple servers as
> security.debian.org is a round robin, and any update of the Packages
> will invalidate older versions.
Or just one DNS server or even just the users client.