On Fri, May 30, 2014 at 11:50:32PM +1000, Alfie John wrote: > Several times (public and private) I tried to explain how the download > of APT (the binary itself) on an initial Debian install could be > compromised via MITM since it's over plaintext. Then the verification of > packages could simply be skipped (hence NOP). I'm not sure why you're > bringing libc and libgpg into the conversation. > > Alfie >
Hello. The thing is: When you download an .iso file, that .iso file also contains a signing key used to verify each package it downloads during the installation. Encryption is not important in this aspect, because what you are downloading is already publicly available and not secret. Everyone can download the same packages as the installer. Those are already public. The important bit is to verify that what you are downloading either manually, or via the installer, hasn't been tampered with. That is verification, and that is what is interesting here. The .iso file already contains a public key, and verifies every package it downloads along the way. You can disable that by hacking a bit in the installer, but it does requires an effort. For the next problem: Some mirror might theoretically have an .iso file which has been tampered with, but you should check the checksum for that file with what you find in the debian web-pages. If you download a .iso file via HTTP, it might have been tampered with, and if someone is intercepting your request for the public key, it might be changed. But i think that would be a problem anyways... -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140530141605.GC17668@s1.t11.local
