Re: shadowy, sort of fly by night debian mirrors? ...
Hello,
On Sun, Feb 21, 2021 at 08:45:08AM -0500, Albretch Mueller wrote:
> 1) as I used a known public hotspot connection, there was a new
> hotspot advertising itself as "Wifi4EU" (of course, I didn't bite that
> bait)
Does not really seem relevant to a remote Debian mirror, unless you
are suggesting that someone has set up a rogue wifi hotspot in that
particular location and used it to distribute compromised Debian
images, which seems rather far-fetched.
> 2) getting a connection through (apparently) the right hotspot took
> way more time than expected
I'm not saying it's aliens
but it's aliens.
> 3) downloads were being redirected real time
OK? Web servers are allowed to issue redirects, and you're being
redirected to another hostname at the same org, so doesn't seem very
suspicious.
> 4) the usual server side responses were not being produced, just:
>
> WARNING: certificate common name `ftp.acc.umu.se' doesn't match
> requested host name `chuangtzu.ftp.acc.umu.se'.
> 2021-02-17 11:14:47
> URL:https://chuangtzu.ftp.acc.umu.se/debian-cd/current/amd64/iso-dvd/debian-10.8.0-amd64-DVD-2.iso
> [4697370624/4697370624] -> "debian-10.8.0-amd64-DVD-2.iso" [1]
Right, so it's just saying you requested something at ftp.acc.umu.se
but it's HTTP redirecting you to chuangtzu.ftp.acc.umu.se which
doesn't have a TLS certificate with the name "ftp.acc.umu.se".
Many Debian mirrors don't support HTTPS enough to have a TLS cert in
the correct name and/or a debian.org name. I think you can use host
deb.debian.org in your sources.list to hit a Fastly CDN node that is
network-wise reasonably close to you and will work with TLS without
complaint, though you don't know what transports it uses between
itself and the origin servers in the background.
> 5) the mirror debian site (ftp.acc.umu.se) had smelly prefixes as
> subdomains (apparently Chinese transliterations) {chuangtzu, laotzu}
Why do Chinese names seem "smelly" to you?
> 6) whois registry for umu.se
Unclear why the domain registry info for a Swedish university is of
any bearing…
> 7) the md5 and sha1 hashes that I computed could not be found online
>
> 0296cfbeaf3823055901d7ad2077a077
> 0b742d83d23207db9a24553100d4155eb8c701bf debian
> 10.8.0-amd64-DVD-2.iso
> 37baf26293b8132fe95b4bd19262ca6b
> 122a2612ed63ff89db56eec0765e87268bf72318 debian
> 10.8.0-amd64-DVD-3.iso
Those SHA1 hashes do appear here on another mirror:
http://mirrorservice.org/sites/cdimage.debian.org/debian-cd/10.8.0/amd64/iso-dvd/SHA1SUMS
though they seem to be associated with different files in the
sequence:
122a2612ed63ff89db56eec0765e87268bf72318 debian-10.8.0-amd64-DVD-2.iso
0b742d83d23207db9a24553100d4155eb8c701bf debian-10.8.0-amd64-DVD-3.iso
Was it a copy/paste error on your side that switched these around or
is that really what you downloaded?
> I later downloaded what seem to be the right files, anyway. They
> would make for some easy and nice forensic analysis (just
> extracting the content of those iso files, using find and diff)
> whenever I find the time to do so.
Knock yourself out but I don't see any indication that anything
nefarious has happened nor that you have downloaded tampered files,
so it just sounds like a huge waste of time.
If that's not the case and you did manage to download something that
claims to be a Debian ISO but isn't, please do tell us more.
I mean, worst case, they've somehow got the names of some genuine
files mixed up - because the SHA1 hashes match real Debian files but
with different names. That's assuming no mix up on your side. Unless
you are experiencing a SHA1 collision as well on top of everything
else.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Reply to: