Re: HTTPS enabled Debian Security repository
On Fri, 27 Oct 2017, Hans-Christoph Steiner wrote:
> This idea that GPG signatures on the index files is enough has been
> totally disproven. There was a bug in apt where Debian devices could be
> exploited by feeding them crafted InRelease files:
>
> https://www.debian.org/security/2016/dsa-3733
This was the *one* bug of this sort in the entire lifetime of apt thus
far, AFAIK.
> If HTTPS was used, that would mean exploiting that would require
One of the dozens of zero-days already found in the TLS stack we had to
run like crazy to patch ?
In fact, the TLS stack is so complex, we can be reasonably sure there is
still at least one remotely-exploitable zero-day there.
Have you ever looked at the library stack in APT's http method, and
compared it with the one in APT's https method?
> HTTPS does not entirely solve all these problems, but it does
> drastically improve things.
That is *not* an opinion shared by everyone, to put it mildly.
--
Henrique Holschuh
Reply to: