Re: Debian mirrors and MITM

To: alfiej@fastmail.fm
Cc: debian-security@lists.debian.org
Subject: Re: Debian mirrors and MITM
From: Reid Sutherland <reid@vianet.ca>
Date: Fri, 30 May 2014 09:37:01 -0400
Message-id: <[🔎] F8CB8B56-FBF3-471D-9C06-94F03F05ED63@vianet.ca>
In-reply-to: <[🔎] 1401456637.10889.123292765.031DBFDA@webmail.messagingengine.com>
References: <[🔎] 1401452101.25524.123263721.146F1AFF@webmail.messagingengine.com> <[🔎] bfad3c3a-e7f4-11e3-8753-00163eeb5320@msgid.mathom.us> <[🔎] 1401453836.31698.123277245.0BFA1590@webmail.messagingengine.com> <[🔎] f78d4218bec9db44c0d491e4318f2a41@mail.adsl.funky-badger.org> <[🔎] 1401455611.6597.123286253.5D5A44D8@webmail.messagingengine.com> <[🔎] 90ebee24-e7fd-11e3-89ae-00163eeb5320@msgid.mathom.us> <[🔎] f2a5e71e-e7fd-11e3-bb9d-00163eeb5320@msgid.mathom.us> <[🔎] 1401456637.10889.123292765.031DBFDA@webmail.messagingengine.com>

On May 30, 2014, at 9:30 AM, Alfie John <alfiej@fastmail.fm> wrote:

> On Fri, May 30, 2014, at 11:27 PM, Michael Stone wrote:
>> On Fri, May 30, 2014 at 09:24:47AM -0400, Michael Stone wrote:
>>> That's why you verify the initial install media per the link I posted
>>> earlier...
>> 
>> Oh, and those key fingerprints are on an https page for those who
>> actually trust the CA system.
> 
> That was my next question. If the fingerprints are on a HTTPS served
> page, then yes that seems like a valid solution.
> 
> And thanks Reid Sutherland for telling me I have no clue. Much
> appreciated.

In your private response to me, you didn’t.

The whole point here is that Debian is already verifying the content it is receiving from any given data source.  This was done from the very beginning because anyone can mirror and distribute Debian software.  So unless there is a flaw with libc and libgpg, we are safe for downloading the public Debian content from anywhere.

Reply to:

Follow-Ups:
- Re: Debian mirrors and MITM
  - From: Alfie John <alfiej@fastmail.fm>

References:
- Debian mirrors and MITM
  - From: Alfie John <alfiej@fastmail.fm>
- Re: Debian mirrors and MITM
  - From: Michael Stone <mstone@debian.org>
- Re: Debian mirrors and MITM
  - From: Alfie John <alfiej@fastmail.fm>
- Re: Debian mirrors and MITM
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Re: Debian mirrors and MITM
  - From: Alfie John <alfiej@fastmail.fm>
- Re: Debian mirrors and MITM
  - From: Michael Stone <mstone@debian.org>
- Re: Debian mirrors and MITM
  - From: Michael Stone <mstone@debian.org>
- Re: Debian mirrors and MITM
  - From: Alfie John <alfiej@fastmail.fm>

Prev by Date: Re: Debian mirrors and MITM
Next by Date: Re: Debian mirrors and MITM
Previous by thread: Re: Debian mirrors and MITM
Next by thread: Re: Debian mirrors and MITM
Index(es):
- Date
- Thread