Re: Debian mirrors and MITM

To: debian-security@lists.debian.org
Subject: Re: Debian mirrors and MITM
From: Alfie John <alfiej@fastmail.fm>
Date: Fri, 30 May 2014 23:13:31 +1000
Message-id: <[🔎] 1401455611.6597.123286253.5D5A44D8@webmail.messagingengine.com>
Reply-to: alfiej@fastmail.fm
In-reply-to: <[🔎] f78d4218bec9db44c0d491e4318f2a41@mail.adsl.funky-badger.org>
References: <[🔎] 1401452101.25524.123263721.146F1AFF@webmail.messagingengine.com> <[🔎] bfad3c3a-e7f4-11e3-8753-00163eeb5320@msgid.mathom.us> <[🔎] 1401453836.31698.123277245.0BFA1590@webmail.messagingengine.com> <[🔎] f78d4218bec9db44c0d491e4318f2a41@mail.adsl.funky-badger.org>

On Fri, May 30, 2014, at 11:08 PM, Adam D. Barratt wrote:
> >> The cryptographic signatures that are validated automatically by apt.
> > 
> > What's stopping the attacker from serving a compromised apt?
> 
> How would you get the client's system to install it in the first place? 
> (More specifically, how would you get the cryptographic signature to 
> match your package, given a lack of access to any of the keys trusted by 
> the client's system?)

As what I posted earlier, all you would need to do is to MITM the
install of APT during an install. Who cares what the signatures look
like since you've NOPed the checksumming code!

Alfie

-- 
  Alfie John
  alfiej@fastmail.fm

Reply to:

Follow-Ups:
- Re: Debian mirrors and MITM
  - From: Reid Sutherland <reid@vianet.ca>
- Re: Debian mirrors and MITM
  - From: Michael Stone <mstone@debian.org>

References:
- Debian mirrors and MITM
  - From: Alfie John <alfiej@fastmail.fm>
- Re: Debian mirrors and MITM
  - From: Michael Stone <mstone@debian.org>
- Re: Debian mirrors and MITM
  - From: Alfie John <alfiej@fastmail.fm>
- Re: Debian mirrors and MITM
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Re: Debian mirrors and MITM
Next by Date: Re: Debian mirrors and MITM
Previous by thread: Re: Debian mirrors and MITM
Next by thread: Re: Debian mirrors and MITM
Index(es):
- Date
- Thread