Re: Debian mirrors and MITM
On 30/05/14 13:43, Alfie John wrote:
> On Fri, May 30, 2014, at 10:24 PM, Michael Stone wrote:
>> On Fri, May 30, 2014 at 10:15:01PM +1000, Alfie John wrote:
>>> The public Debian mirrors seem like an obvious target for governments to
>>> MITM. I know that the MD5s are also published, but unless you're
>>> verifying them with third parties, what's stopping the MD5s being
>>> compromised too?
>> The cryptographic signatures that are validated automatically by apt.
> What's stopping the attacker from serving a compromised apt?
Oh god not this again.
How exactly does using HTTPS solve this particular problem, anyway? If
we assume a compromised APT then surely it can pass invalid SSL
certificates as perfectly valid, too. It's not like sponsored attackers
don't have access to all the SSL certificates they might ever want anyway.