[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: HTTPS enabled Debian Security repository

On Fri, 27 Oct 2017, Hans-Christoph Steiner wrote:
> This idea that GPG signatures on the index files is enough has been
> totally disproven.  There was a bug in apt where Debian devices could be
> exploited by feeding them crafted InRelease files:
> 
> https://www.debian.org/security/2016/dsa-3733

This was the *one* bug of this sort in the entire lifetime of apt thus
far, AFAIK.

> If HTTPS was used, that would mean exploiting that would require

One of the dozens of zero-days already found in the TLS stack we had to
run like crazy to patch ?

In fact, the TLS stack is so complex, we can be reasonably sure there is
still at least one remotely-exploitable zero-day there.

Have you ever looked at the library stack in APT's http method, and
compared it with the one in APT's https method?

> HTTPS does not entirely solve all these problems, but it does
> drastically improve things.

That is *not* an opinion shared by everyone, to put it mildly.

-- 
  Henrique Holschuh
Reply to: