[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian mirrors and MITM

On Fri, May 30, 2014, at 10:49 PM, Chris Boot wrote:
> >> The cryptographic signatures that are validated automatically by apt. 
> > 
> > What's stopping the attacker from serving a compromised apt?
> Oh god not this again.
> How exactly does using HTTPS solve this particular problem, anyway? If
> we assume a compromised APT then surely it can pass invalid SSL
> certificates as perfectly valid, too. It's not like sponsored attackers
> don't have access to all the SSL certificates they might ever want
> anyway.

By mandating HTTPS, it would prevent QuantumInsert and FoxAcid being
implemented during Debain installs and later package installs/updates.

If you're worried about SSL certificates being compromised, going down
the path of Debian self-signing its own certificate and distributed it
via SneakerNet would be a way to prevent it. 


  Alfie John

Reply to: