Re: Debian mirrors and MITM

To: alfiej@fastmail.fm, debian-security@lists.debian.org
Subject: Re: Debian mirrors and MITM
From: Chris Boot <bootc@bootc.net>
Date: Fri, 30 May 2014 13:49:15 +0100
Message-id: <[🔎] 53887E4B.90305@bootc.net>
In-reply-to: <[🔎] 1401453836.31698.123277245.0BFA1590@webmail.messagingengine.com>
References: <[🔎] 1401452101.25524.123263721.146F1AFF@webmail.messagingengine.com> <[🔎] bfad3c3a-e7f4-11e3-8753-00163eeb5320@msgid.mathom.us> <[🔎] 1401453836.31698.123277245.0BFA1590@webmail.messagingengine.com>

On 30/05/14 13:43, Alfie John wrote:
> On Fri, May 30, 2014, at 10:24 PM, Michael Stone wrote:
>> On Fri, May 30, 2014 at 10:15:01PM +1000, Alfie John wrote:
>>> The public Debian mirrors seem like an obvious target for governments to
>>> MITM. I know that the MD5s are also published, but unless you're
>>> verifying them with third parties, what's stopping the MD5s being
>>> compromised too?
>>
>> The cryptographic signatures that are validated automatically by apt. 
> 
> What's stopping the attacker from serving a compromised apt?

Oh god not this again.

How exactly does using HTTPS solve this particular problem, anyway? If
we assume a compromised APT then surely it can pass invalid SSL
certificates as perfectly valid, too. It's not like sponsored attackers
don't have access to all the SSL certificates they might ever want anyway.

-- 
Chris Boot
bootc@bootc.net

Reply to:

Follow-Ups:
- Re: Debian mirrors and MITM
  - From: Alfie John <alfiej@fastmail.fm>

References:
- Debian mirrors and MITM
  - From: Alfie John <alfiej@fastmail.fm>
- Re: Debian mirrors and MITM
  - From: Michael Stone <mstone@debian.org>
- Re: Debian mirrors and MITM
  - From: Alfie John <alfiej@fastmail.fm>

Prev by Date: Re: Debian mirrors and MITM
Next by Date: Re: Debian mirrors and MITM
Previous by thread: Re: Debian mirrors and MITM
Next by thread: Re: Debian mirrors and MITM
Index(es):
- Date
- Thread