On Fri, May 30, 2014, at 10:43 PM, Alfie John wrote: > > The cryptographic signatures that are validated automatically by apt. > > What's stopping the attacker from serving a compromised apt?
Thinking about this more, If I wanted to target a Debian system via MITM, serving a compromised APT would be all I needed. In the future, a modified package could be served and it wouldn't matter what the signatures were seeing is I could have control of APT. Alfie -- Alfie John alf...@fastmail.fm -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1401454416.2074.123278697.7b672...@webmail.messagingengine.com
