On Fri, May 30, 2014, at 10:43 PM, Alfie John wrote: > > The cryptographic signatures that are validated automatically by apt. > > What's stopping the attacker from serving a compromised apt?
Thinking about this more, If I wanted to target a Debian system via MITM, serving a compromised APT would be all I needed. In the future, a modified package could be served and it wouldn't matter what the signatures were seeing is I could have control of APT. Alfie -- Alfie John [email protected] -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
