[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SSL for debian.org/security?

On 30-10-2013 11:05, Celejar wrote:
> You're snipping crucial context; my comment above was in response to
> this:
>> For apt-get a self-signed certificate could be used which comes together
>> with Debian. No CA required. This is both simpler and safer.
> I was pointing out that this comment makes no sense in the context of
> apt-get. It sounds like you're referring to the website or email system.
I am talking about updates.

Yes. Apt uses OpenPGP to verify the integrity and authenticity of the
packages it downloads.
But how does apt get these packages? Over insecure HTTP.

Hacking DNS or MITM attack can hide updates from you or a country. Then
you are vulnerable due out-of-date software and you don't even know
about it.
Reply to: