Re: Debian mirrors and MITM

To: debian-security@lists.debian.org
Subject: Re: Debian mirrors and MITM
From: Alfie John <alfiej@fastmail.fm>
Date: Fri, 30 May 2014 22:43:56 +1000
Message-id: <[🔎] 1401453836.31698.123277245.0BFA1590@webmail.messagingengine.com>
Reply-to: alfiej@fastmail.fm
In-reply-to: <[🔎] bfad3c3a-e7f4-11e3-8753-00163eeb5320@msgid.mathom.us>
References: <[🔎] 1401452101.25524.123263721.146F1AFF@webmail.messagingengine.com> <[🔎] bfad3c3a-e7f4-11e3-8753-00163eeb5320@msgid.mathom.us>

On Fri, May 30, 2014, at 10:24 PM, Michael Stone wrote:
> On Fri, May 30, 2014 at 10:15:01PM +1000, Alfie John wrote:
> >The public Debian mirrors seem like an obvious target for governments to
> >MITM. I know that the MD5s are also published, but unless you're
> >verifying them with third parties, what's stopping the MD5s being
> >compromised too?
> 
> The cryptographic signatures that are validated automatically by apt. 

What's stopping the attacker from serving a compromised apt?

Alfie

-- 
  Alfie John
  alfiej@fastmail.fm

Reply to:

Follow-Ups:
- Re: Debian mirrors and MITM
  - From: Michael Stone <mstone@debian.org>
- Re: Debian mirrors and MITM
  - From: Alfie John <alfiej@fastmail.fm>
- Re: Debian mirrors and MITM
  - From: Chris Boot <bootc@bootc.net>
- Re: Debian mirrors and MITM
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Re: Debian mirrors and MITM
  - From: Kurt Roeckx <kurt@roeckx.be>

References:
- Debian mirrors and MITM
  - From: Alfie John <alfiej@fastmail.fm>
- Re: Debian mirrors and MITM
  - From: Michael Stone <mstone@debian.org>

Prev by Date: Re: Debian mirrors and MITM
Next by Date: Re: Debian mirrors and MITM
Previous by thread: Re: Debian mirrors and MITM
Next by thread: Re: Debian mirrors and MITM
Index(es):
- Date
- Thread