Re: Debian mirrors and MITM
On Sat, May 31, 2014, at 12:06 AM, micah anderson wrote:
> >> > The cryptographic signatures that are validated automatically by
> >> > apt.
> >> What's stopping the attacker from serving a compromised apt?
> > apt will check that the new apt is properly signed.
> This entire secure artifice depends entirely on the integrity of apt,
> and presumably the various libraries that it depends on.
> Now I don't want to call into question the esteemed authors of said
> program, and depending libraries, but I do think that providing https
> mirrors gives us two distinct advantages over plain http:
> . in the case that there is a bug in apt, or gpg, or something
> else, having https would provide at minimum a minor set of
> defense against bulk, non-targeted quantum insert and
> foxacid attacks, not to mention MiTM compromises from a
> hostile local network
Yep, already mentioned this one. This is my biggest issue. I'm beginning
to this should be classified as a security bug in Debian.
> . keeps an adversary who may be listening on the wire from
> looking at what you are installing. who cares what you are
> installing? well it turns out that is very interesting
> information. If you can see that I've just installed X
> package, and you then just look over at our security tracker
> and find that this package has an exploit...
It's only metadata, so who cares right? Only kidding. This is a totally
legitimate scenario which I didn't think of. Nice.