[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian mirrors and MITM

Kurt Roeckx <kurt@roeckx.be> writes:

> On Fri, May 30, 2014 at 10:43:56PM +1000, Alfie John wrote:
>> On Fri, May 30, 2014, at 10:24 PM, Michael Stone wrote:
>> > On Fri, May 30, 2014 at 10:15:01PM +1000, Alfie John wrote:
>> > >The public Debian mirrors seem like an obvious target for governments to
>> > >MITM. I know that the MD5s are also published, but unless you're
>> > >verifying them with third parties, what's stopping the MD5s being
>> > >compromised too?
>> > 
>> > The cryptographic signatures that are validated automatically by apt. 
>> What's stopping the attacker from serving a compromised apt?
> apt will check that the new apt is properly signed.

This entire secure artifice depends entirely on the integrity of
apt, and presumably the various libraries that it depends on.

Now I don't want to call into question the esteemed authors of said
program, and depending libraries, but I do think that providing https
mirrors gives us two distinct advantages over plain http:

        . in the case that there is a bug in apt, or gpg, or something
        else, having https would provide at minimum a minor set of
        defense against bulk, non-targeted quantum insert and foxacid
        attacks, not to mention MiTM compromises from a hostile local

        . keeps an adversary who may be listening on the wire from
        looking at what you are installing. who cares what you are
        installing? well it turns out that is very interesting
        information. If you can see that I've just installed X package,
        and you then just look over at our security tracker and find
        that this package has an exploit...


Attachment: pgpRGbsskG_Yt.pgp
Description: PGP signature

Reply to: