[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian mirrors and MITM

From: Daniel <daniel@visp.name>
To: Alfie John <alfiej@fastmail.fm>; debian-security@lists.debian.org
Sent: Friday, May 30, 2014 10:16 PM
Subject: Re: Debian mirrors and MITM

> The thing is: When you download an .iso file, that .iso file also contains a signing key used to verify each package it downloads during the
> installation.

> The .iso file already contains a public key, and verifies every package it downloads along the way. You can disable that by hacking a bit in the
> installer, but it does requires an effort.

> For the next problem: Some mirror might theoretically have an .iso file which has been tampered with, but you should check the checksum for
> that file with what you find in the debian web-pages. If you download a .iso file via HTTP, it might have been tampered with, and if someone is
> intercepting your request for the public key, it might be changed. But i think that would be a problem anyways...

Hello guys,

I am very confused after reading the exchanges on this topic.

Could someone tell me whether what I have done is correct?

1. I download the *.iso file from a Debian mirror together with the SHA512SUMS and SHA512SUMS.sig

2. On the relevant Debian Wiki page (which is served via https), I search for the fingerprint of the key used to sign the downloaded *.iso file

3. On some Debian user forums, I make inquiries as to the fingerprint of the signing key for my *.iso file. I compare it with the one given by Debian Wiki. If the fingerprints are identical, I will download the signing key from pgp.mit.edu keyserver.

4. I use the signing key to verify SHA512SUMS file. If the signature is good, I proceed to verify the SHA512 hashsum against my downloaded *.iso file

Are the above steps sufficient to verify the authenticity of the downloaded *.iso file?

Reply to: