Re: Debian mirrors and MITM

To: Chris Boot <bootc@bootc.net>, debian-security@lists.debian.org
Subject: Re: Debian mirrors and MITM
From: Alfie John <alfiej@fastmail.fm>
Date: Fri, 30 May 2014 23:00:41 +1000
Message-id: <[🔎] 1401454841.3847.123280441.072172CA@webmail.messagingengine.com>
Reply-to: alfiej@fastmail.fm
In-reply-to: <[🔎] 53887E4B.90305@bootc.net>
References: <[🔎] 1401452101.25524.123263721.146F1AFF@webmail.messagingengine.com> <[🔎] bfad3c3a-e7f4-11e3-8753-00163eeb5320@msgid.mathom.us> <[🔎] 1401453836.31698.123277245.0BFA1590@webmail.messagingengine.com> <[🔎] 53887E4B.90305@bootc.net>

On Fri, May 30, 2014, at 10:49 PM, Chris Boot wrote:
> >> The cryptographic signatures that are validated automatically by apt. 
> > 
> > What's stopping the attacker from serving a compromised apt?
> 
> Oh god not this again.
> 
> How exactly does using HTTPS solve this particular problem, anyway? If
> we assume a compromised APT then surely it can pass invalid SSL
> certificates as perfectly valid, too. It's not like sponsored attackers
> don't have access to all the SSL certificates they might ever want
> anyway.

By mandating HTTPS, it would prevent QuantumInsert and FoxAcid being
implemented during Debain installs and later package installs/updates.

If you're worried about SSL certificates being compromised, going down
the path of Debian self-signing its own certificate and distributed it
via SneakerNet would be a way to prevent it. 

Alfie

-- 
  Alfie John
  alfiej@fastmail.fm

Reply to:

References:
- Debian mirrors and MITM
  - From: Alfie John <alfiej@fastmail.fm>
- Re: Debian mirrors and MITM
  - From: Michael Stone <mstone@debian.org>
- Re: Debian mirrors and MITM
  - From: Alfie John <alfiej@fastmail.fm>
- Re: Debian mirrors and MITM
  - From: Chris Boot <bootc@bootc.net>

Prev by Date: Re: Debian mirrors and MITM
Next by Date: Re: Debian mirrors and MITM
Previous by thread: Re: Debian mirrors and MITM
Next by thread: Re: Debian mirrors and MITM
Index(es):
- Date
- Thread