[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian mirrors and MITM

* Hans-Christoph Steiner <hans@at.or.at> [140703 18:10]:
> You are correct that HTTPS would not entirely address #2, but it does
> improve the situation over HTTP.  For example, an ISP, network operator,
> or government could block an entire mirror or all mirrors by redirecting
> requests to their own mirror which does not get updates.  That would be
> transparent to the user.

- An ISP could just offer to host a mirror, thus getting the certificates
  for free. All you could avoid is getting in the way of someone willfully
  wasting bandwith by using a specific far away mirror.
- A goverment could likely just do the same, but with any
  certificates/private keys of any mirrors near you.
- It is only "Transparent" in a very abstract sense of the word. People
  know what security updates there are. Sending outdated stuff to many
  people is hard to hide. So you need a targeted attack, which would
  even cause more suspicion if someone realizes it.
  If someone updates the packages manually detection chances are
  astronomically high. If things are updated manually then a targeted
  attack might as well block the traffic and also block the mails
  going out about the automated update failing.

And then there is still the massive negative aspect of using https,
which any positive aspects have to trumph: If using https, people might
actually think they can just use a browser or the like to download
things and get a validated file. Which of course it is not, as so many
people can trivially inject something. An false feeling of having
security can be much worse than anything else often.

	Bernhard R. Link
F8AC 04D5 0B9B 064B 3383  C3DA AFFC 96D1 151D FFDC

Reply to: