Re: Debian mirrors and MITM
On Fri, May 30, 2014, at 11:37 PM, Reid Sutherland wrote:
> >> Oh, and those key fingerprints are on an https page for those who
> >> actually trust the CA system.
> > That was my next question. If the fingerprints are on a HTTPS served
> > page, then yes that seems like a valid solution.
> > And thanks Reid Sutherland for telling me I have no clue. Much
> > appreciated.
> In your private response to me, you didn’t.
> The whole point here is that Debian is already verifying the content it
> is receiving from any given data source. This was done from the very
> beginning because anyone can mirror and distribute Debian software. So
> unless there is a flaw with libc and libgpg, we are safe for downloading
> the public Debian content from anywhere.
Several times (public and private) I tried to explain how the download
of APT (the binary itself) on an initial Debian install could be
compromised via MITM since it's over plaintext. Then the verification of
packages could simply be skipped (hence NOP). I'm not sure why you're
bringing libc and libgpg into the conversation.