Re: Debian mirrors and MITM
On May 30, 2014, at 9:13 AM, Alfie John <firstname.lastname@example.org> wrote:
> On Fri, May 30, 2014, at 11:08 PM, Adam D. Barratt wrote:
>>>> The cryptographic signatures that are validated automatically by apt.
>>> What's stopping the attacker from serving a compromised apt?
>> How would you get the client's system to install it in the first place?
>> (More specifically, how would you get the cryptographic signature to
>> match your package, given a lack of access to any of the keys trusted by
>> the client's system?)
> As what I posted earlier, all you would need to do is to MITM the
> install of APT during an install. Who cares what the signatures look
> like since you've NOPed the checksumming code!
So OpenSSL can be flawed and nobody bats an eye, APT uses GnuPG and everyone (this guy) loses their mind?
Anyway, this is covered by GnuPG, unless it is flawed, we don’t have an issue.