Re: Debian mirrors and MITM
On Fri, May 30, 2014, at 11:08 PM, Adam D. Barratt wrote:
> >> The cryptographic signatures that are validated automatically by apt.
> > What's stopping the attacker from serving a compromised apt?
> How would you get the client's system to install it in the first place?
> (More specifically, how would you get the cryptographic signature to
> match your package, given a lack of access to any of the keys trusted by
> the client's system?)
As what I posted earlier, all you would need to do is to MITM the
install of APT during an install. Who cares what the signatures look
like since you've NOPed the checksumming code!