Re: Debian mirrors and MITM
On Fri, May 30, 2014, at 10:24 PM, Michael Stone wrote:
> On Fri, May 30, 2014 at 10:15:01PM +1000, Alfie John wrote:
> >The public Debian mirrors seem like an obvious target for governments to
> >MITM. I know that the MD5s are also published, but unless you're
> >verifying them with third parties, what's stopping the MD5s being
> >compromised too?
>
> The cryptographic signatures that are validated automatically by apt.
What's stopping the attacker from serving a compromised apt?
Alfie
--
Alfie John
alfiej@fastmail.fm
Reply to: