On Sat, 3 Jan 2009 19:46:59 +0100
cpghost <cpgh...@cordula.ws> wrote:

> On Sat, Jan 03, 2009 at 01:38:25AM +0000, RW wrote:
> > On Fri, 02 Jan 2009 17:30:12 +0000
> > Vincent Hoffman <vi...@unsane.co.uk> wrote:
> > > Admittedly this doesn't give a file by file checksum
> > 
> > That's not really a problem, it's no easier to create a collision
> > in a .gz file than a patch file. 
> > 
> > The more substantial weakness is that the key is verified against a
> > hash stored on the original installation media. If someone went to
> > the trouble of diverting dns or routing to create a fake FreeBSD
> > site they would presumably make it self-consistent down to the ISO
> > checksums.
> That's why I suggested that the list of checksums be digitally signed
> by a private key belonging to The FreeBSD Project. It is assumed that
> getting the corresponding public key would be possible by other means
> not susceptible to MITM attacks (e.g. through endless replication all
> over the net, fingerprint in books etc...).

My point is that having signed updates etc (which is essentially what
freebsd-update and portsnap do) is undermined if the original iso is not
obtained securely. Currently that appears to be the weakest link. 

freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Reply via email to