[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian cd supporting ext4.

On Sat, Jul 24, 2010 at 19:51:53 -0500, Boyd Stephen Smith Jr. wrote:
> On Saturday 24 July 2010 17:21:28 Florian Kulzer wrote:
> > Furthermore, he is asking the wrong question if he wants real security.
> > If one downloads via an insecure protocol (http, ftp) then it does not
> > matter if the URL points to debian.org, kmuto.jp or rootkits-r-us.com,
> > because one is unprotected against a man-in-the-middle attack in any
> > case.
> That's not true.

Why not?

> Long ago, the "secure-apt" project took this issue into account.  The Packages 
> file is GPG signed and this signature is verified during each (aptitude 
> update), even during installation.  (Although, I have seen some install 
> methods subvert this check...)
> The Packages file contains multiple cryptographically-secure hashes of each 
> binary package available from that archive/repository and (at least) one of 
> these hashes is verified after download but before installation.
> The Sources file is similarly signed and provides hashes for the source 
> packages available from that archive/repository.
I do not think that these facts contradict my statement that http and
ftp downloads in and of themselves cannot be trusted, no mater what the
URL is. I did not claim that it is impossible to have a mechanism for
verifying downloads, nor did I imply that Debian does not implement such
a safeguard in its package management.

> The official installation media are each singed and hashed in a 
> cryptographically-secure manner, but you have to verify those manually.

That was my point; if there is a valid signature of a trusted key then
it does not matter how the installation image was obtained. (This
assumes that nobody knowns an efficient algorithm to factor large
numbers or to create hash collisions after making arbitrary changes to
the original image.)

Regards,            |
          Florian   |

Reply to: