On 2014-05-30 13:43, Alfie John wrote:
On Fri, May 30, 2014, at 10:24 PM, Michael Stone wrote:
On Fri, May 30, 2014 at 10:15:01PM +1000, Alfie John wrote:
>The public Debian mirrors seem like an obvious target for governments to
>MITM. I know that the MD5s are also published, but unless you're
>verifying them with third parties, what's stopping the MD5s being
>compromised too?
The cryptographic signatures that are validated automatically by apt.
What's stopping the attacker from serving a compromised apt?
How would you get the client's system to install it in the first place?
(More specifically, how would you get the cryptographic signature to
match your package, given a lack of access to any of the keys trusted by
the client's system?)
There's something of a chicken and egg problem to your idea.
Regards,
Adam
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
https://lists.debian.org/f78d4218bec9db44c0d491e4318f2...@mail.adsl.funky-badger.org
