Re: Debian mirrors and MITM
On Fri, May 30, 2014 at 11:50:32PM +1000, Alfie John wrote:
> Several times (public and private) I tried to explain how the download
> of APT (the binary itself) on an initial Debian install could be
> compromised via MITM since it's over plaintext. Then the verification of
> packages could simply be skipped (hence NOP). I'm not sure why you're
> bringing libc and libgpg into the conversation.
The thing is: When you download an .iso file, that .iso file also
contains a signing key used to verify each package it downloads during
the installation. Encryption is not important in this aspect, because
what you are downloading is already publicly available and not secret.
Everyone can download the same packages as the installer. Those are
The important bit is to verify that what you are downloading either
manually, or via the installer, hasn't been tampered with. That is
verification, and that is what is interesting here. The .iso file
already contains a public key, and verifies every package it downloads
along the way. You can disable that by hacking a bit in the installer,
but it does requires an effort.
For the next problem: Some mirror might theoretically have an .iso file
which has been tampered with, but you should check the checksum for that
file with what you find in the debian web-pages. If you download a .iso
file via HTTP, it might have been tampered with, and if someone is
intercepting your request for the public key, it might be changed. But i
think that would be a problem anyways...