Where is the trust?

To: marillat@free.fr
Cc: ftpmaster@debian.org, debian-user@lists.debian.org
Subject: Where is the trust?
From: The Suspect <policeoppression@gmail.com>
Date: Wed, 23 Feb 2011 12:24:23 -0800
Message-id: <[🔎] AANLkTi=GA+Dmx7iL-8V7Es=bQ22XUzoE+eb1mtdpez9B@mail.gmail.com>

>From where comes the trust for your archive?

Let me explain something that I am sure you are fully aware, just to point it out.

Your site says to download the following keyring file in order to trust your packages:

http://www.debian-multimedia.org/pool/main/d/debian-multimedia-keyring/debian-multimedia-keyring_2010.12.26_all.deb

Lets say that I work for the NSA, FBI, etc. and I want to gain access to someone's computer. All that I have to do is to use a man in the middle attack so that when such a request comes across the wire for that key file, it will instead receive my evil exploit key file instead. Once a user installs your package, and configures their system to your your package archive, then I can replace ANY file on their system simply by providing an updated version of such file. I would also have to mirror your archive and block their access to it, or create some other way so that it would be difficult for them to verify my actions. However, that is quite trivial when I would also have direct access to their network connection. I could just send an exploit package file, but then they could use your real key file to see that it was a forgery. So, by intercepting requests for your key file, I could compromise thousands of computers.

This might seem a bit paranoid, however, I live in the USA. So, as you probably are well aware, my Government loves to spy on us Citizens, even without warrant or cause.

So, I am basically stuck blindly trusting that your keyring file has not been compromised and that your website is not an evil mirror.

You might at least put up a secure SSL connection so that someone might have some chance to blindly trust your server's files. However, if you live in France, that might not be possible as I read somewhere that it is illegal to use crypto there. So, the only real way to provide some trust is to have your key package file included in the official debian archive. That way, if someone were to want to use your archive, then they could simply install your keyring package and then they would not have to blindly trust your server.

Sincerely,

The Suspect

Reply to:

Follow-Ups:
- Re: Where is the trust?
  - From: Andrei Popescu <andreimpopescu@gmail.com>
- Re: Where is the trust?
  - From: "Boyd Stephen Smith Jr." <bss@iguanasuicide.net>
- Re: Where is the trust?
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: Where is the trust?
  - From: "Dr. Ed Morbius" <dredmorbius@gmail.com>

Prev by Date: Re: help with nvidia and BusID
Next by Date: To 64 or Not to 64?
Previous by thread: Re: cupsd fails to start - general protection fault SOLVED!
Next by thread: Re: Where is the trust?
Index(es):
- Date
- Thread