On Sat, 3 Jan 2009 19:46:59 +0100 cpghost <cpgh...@cordula.ws> wrote:
> On Sat, Jan 03, 2009 at 01:38:25AM +0000, RW wrote: > > On Fri, 02 Jan 2009 17:30:12 +0000 > > Vincent Hoffman <vi...@unsane.co.uk> wrote: > > > Admittedly this doesn't give a file by file checksum > > > > That's not really a problem, it's no easier to create a collision > > in a .gz file than a patch file. > > > > The more substantial weakness is that the key is verified against a > > hash stored on the original installation media. If someone went to > > the trouble of diverting dns or routing to create a fake FreeBSD > > site they would presumably make it self-consistent down to the ISO > > checksums. > > That's why I suggested that the list of checksums be digitally signed > by a private key belonging to The FreeBSD Project. It is assumed that > getting the corresponding public key would be possible by other means > not susceptible to MITM attacks (e.g. through endless replication all > over the net, fingerprint in books etc...). My point is that having signed updates etc (which is essentially what freebsd-update and portsnap do) is undermined if the original iso is not obtained securely. Currently that appears to be the weakest link. _______________________________________________ email@example.com mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"