On 07/03/2013 04:47 AM, intrigeri wrote:
Hi,
Jonathan Wilkes wrote (02 Jul 2013 21:57:01 GMT) :
On 07/02/2013 12:46 PM, Jonathan Wilkes wrote:
On 07/02/2013 04:51 AM, intrigeri wrote:
+ verify that the signed file you've downloaded is actually the
version you intended to download, and not an older, also properly
signed one.
[...]
Does Debian's "Valid-Until" field in the release files solve this problem?
After getting some help on #debian-apt, I can at least say that the
"Valid-Until"
field in the release file for Debian security updates is indeed intended to
address
replay attacks.
The Valid-Until mechanism (when it's used by the APT repository at
all) typically ensures an attacker can't hide available security
updates for more than a week.
You say "when it's used at all":
My understanding is that it's used for security updates (and possibly
some other repos), and not used for stable releases. Are there security
updates that don't use "Valid-Until"?
The remaining question is this: what is an example of a potential attack
that
exploits the absence of a "Valid-Until" header in a stable release? A
stable version
of Debian is canonical, so there is nothing for an attacker to replay
unless
it's from a previous version of Debian which has a different key and,
therefore,
would set off alarm bells from apt.
-Jonathan
This is sometimes good enough.
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
--
Too many emails? Unsubscribe, change to digest, or change password by emailing
moderator at [email protected] or changing your settings at
https://mailman.stanford.edu/mailman/listinfo/liberationtech
--
Too many emails? Unsubscribe, change to digest, or change password by emailing
moderator at [email protected] or changing your settings at
https://mailman.stanford.edu/mailman/listinfo/liberationtech
