Re: Debian mirrors and MITM

To: Alfie John <alfiej@fastmail.fm>
Cc: debian-security@lists.debian.org
Subject: Re: Debian mirrors and MITM
From: Michael Stone <mstone@debian.org>
Date: Fri, 30 May 2014 08:24:54 -0400
Message-id: <[🔎] bfad3c3a-e7f4-11e3-8753-00163eeb5320@msgid.mathom.us>
Mail-followup-to: Alfie John <alfiej@fastmail.fm>, debian-security@lists.debian.org
In-reply-to: <[🔎] 1401452101.25524.123263721.146F1AFF@webmail.messagingengine.com>
References: <[🔎] 1401452101.25524.123263721.146F1AFF@webmail.messagingengine.com>

On Fri, May 30, 2014 at 10:15:01PM +1000, Alfie John wrote:

The public Debian mirrors seem like an obvious target for governments to
MITM. I know that the MD5s are also published, but unless you're
verifying them with third parties, what's stopping the MD5s being
compromised too?

The cryptographic signatures that are validated automatically by apt.

Reply to:

Follow-Ups:
- Re: Debian mirrors and MITM
  - From: Alfie John <alfiej@fastmail.fm>

References:
- Debian mirrors and MITM
  - From: Alfie John <alfiej@fastmail.fm>

Prev by Date: Debian mirrors and MITM
Next by Date: Re: Debian mirrors and MITM
Previous by thread: Debian mirrors and MITM
Next by thread: Re: Debian mirrors and MITM
Index(es):
- Date
- Thread