Re: Debian mirrors and MITM
On May 30, 2014, at 9:50 AM, Alfie John <firstname.lastname@example.org> wrote:
>> The whole point here is that Debian is already verifying the content it
>> is receiving from any given data source. This was done from the very
>> beginning because anyone can mirror and distribute Debian software. So
>> unless there is a flaw with libc and libgpg, we are safe for downloading
>> the public Debian content from anywhere.
> Several times (public and private) I tried to explain how the download
> of APT (the binary itself) on an initial Debian install could be
> compromised via MITM since it's over plaintext. Then the verification of
> packages could simply be skipped (hence NOP). I'm not sure why you're
> bringing libc and libgpg into the conversation.
I think you are on the right track, the MD5SUMS of each release does not seem to be available via SSL from debian.org.