Re: Debian mirrors and MITM

To: alfiej@fastmail.fm
Cc: debian-security@lists.debian.org
Subject: Re: Debian mirrors and MITM
From: Reid Sutherland <reid@vianet.ca>
Date: Fri, 30 May 2014 10:07:27 -0400
Message-id: <[🔎] E89FECE8-7C01-45C3-9D7F-03919B612CDE@vianet.ca>
In-reply-to: <[🔎] 1401457832.14998.123299485.589AA83E@webmail.messagingengine.com>
References: <[🔎] 1401452101.25524.123263721.146F1AFF@webmail.messagingengine.com> <[🔎] bfad3c3a-e7f4-11e3-8753-00163eeb5320@msgid.mathom.us> <[🔎] 1401453836.31698.123277245.0BFA1590@webmail.messagingengine.com> <[🔎] f78d4218bec9db44c0d491e4318f2a41@mail.adsl.funky-badger.org> <[🔎] 1401455611.6597.123286253.5D5A44D8@webmail.messagingengine.com> <[🔎] 90ebee24-e7fd-11e3-89ae-00163eeb5320@msgid.mathom.us> <[🔎] f2a5e71e-e7fd-11e3-bb9d-00163eeb5320@msgid.mathom.us> <[🔎] 1401456637.10889.123292765.031DBFDA@webmail.messagingengine.com> <[🔎] F8CB8B56-FBF3-471D-9C06-94F03F05ED63@vianet.ca> <[🔎] 1401457832.14998.123299485.589AA83E@webmail.messagingengine.com>

On May 30, 2014, at 9:50 AM, Alfie John <alfiej@fastmail.fm> wrote:
>> 
>> The whole point here is that Debian is already verifying the content it
>> is receiving from any given data source.  This was done from the very
>> beginning because anyone can mirror and distribute Debian software.  So
>> unless there is a flaw with libc and libgpg, we are safe for downloading
>> the public Debian content from anywhere.
> 
> Several times (public and private) I tried to explain how the download
> of APT (the binary itself) on an initial Debian install could be
> compromised via MITM since it's over plaintext. Then the verification of
> packages could simply be skipped (hence NOP). I'm not sure why you're
> bringing libc and libgpg into the conversation.


I think you are on the right track, the MD5SUMS of each release does not seem to be available via SSL from debian.org.

Reply to:

References:
- Debian mirrors and MITM
  - From: Alfie John <alfiej@fastmail.fm>
- Re: Debian mirrors and MITM
  - From: Michael Stone <mstone@debian.org>
- Re: Debian mirrors and MITM
  - From: Alfie John <alfiej@fastmail.fm>
- Re: Debian mirrors and MITM
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Re: Debian mirrors and MITM
  - From: Alfie John <alfiej@fastmail.fm>
- Re: Debian mirrors and MITM
  - From: Michael Stone <mstone@debian.org>
- Re: Debian mirrors and MITM
  - From: Michael Stone <mstone@debian.org>
- Re: Debian mirrors and MITM
  - From: Alfie John <alfiej@fastmail.fm>
- Re: Debian mirrors and MITM
  - From: Reid Sutherland <reid@vianet.ca>
- Re: Debian mirrors and MITM
  - From: Alfie John <alfiej@fastmail.fm>

Prev by Date: Re: Debian mirrors and MITM
Next by Date: Re: Debian mirrors and MITM
Previous by thread: Re: Debian mirrors and MITM
Next by thread: Re: Debian mirrors and MITM
Index(es):
- Date
- Thread