[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian mirrors and MITM

On 30/05/14 13:43, Alfie John wrote:
> On Fri, May 30, 2014, at 10:24 PM, Michael Stone wrote:
>> On Fri, May 30, 2014 at 10:15:01PM +1000, Alfie John wrote:
>>> The public Debian mirrors seem like an obvious target for governments to
>>> MITM. I know that the MD5s are also published, but unless you're
>>> verifying them with third parties, what's stopping the MD5s being
>>> compromised too?
>> The cryptographic signatures that are validated automatically by apt. 
> What's stopping the attacker from serving a compromised apt?

Oh god not this again.

How exactly does using HTTPS solve this particular problem, anyway? If
we assume a compromised APT then surely it can pass invalid SSL
certificates as perfectly valid, too. It's not like sponsored attackers
don't have access to all the SSL certificates they might ever want anyway.

Chris Boot

Reply to: