Re: Debian mirrors and MITM
- To: Jann Horn <jann@thejh.net>
- Cc: debian-security@lists.debian.org
- Subject: Re: Debian mirrors and MITM
- From: Hans-Christoph Steiner <hans@at.or.at>
- Date: Thu, 3 Jul 2014 11:09:48 -0400
- Message-id: <[🔎] 13319BED-07AF-4CAB-9969-8F8D663BC246@at.or.at>
- In-reply-to: <20140602132916.GA28226@laptop.thejh.net>
- References: <1401452101.25524.123263721.146F1AFF@webmail.messagingengine.com> <bfad3c3a-e7f4-11e3-8753-00163eeb5320@msgid.mathom.us> <1401453836.31698.123277245.0BFA1590@webmail.messagingengine.com> <20140530131107.GA7435@roeckx.be> <87bnuf744x.fsf@muck.riseup.net> <20140602132916.GA28226@laptop.thejh.net>
On Jun 2, 2014, at 9:29 AM, Jann Horn wrote:
> On Fri, May 30, 2014 at 10:06:06AM -0400, micah anderson wrote:
>> Now I don't want to call into question the esteemed authors of said
>> program, and depending libraries, but I do think that providing https
>> mirrors gives us two distinct advantages over plain http:
>>
>> . in the case that there is a bug in apt, or gpg, or something
>> else, having https would provide at minimum a minor set of
>> defense against bulk, non-targeted quantum insert and foxacid
>> attacks, not to mention MiTM compromises from a hostile local
>> network
>
> Heh. Because SSL/TLS libraries are so impenetrable and secure? :D
Even GnuPG has had exploitable bugs. Adding layers of different security techniques can help make the apt distribution system less fragile when such bugs inevitably arise.
For example, if there was an exploitable bug in the GPG signing or checksum hash algorithms used by apt, anyone fetching packages over HTTP could have malicious versions inserted by systems like FOXACID. If HTTPS was in use, then that would required the attacker to modify the files on the servers where they are stored in order to use the initial GPG/hash exploit. So using HTTPS greatly reduces the attack surface.
.hc
Reply to: