Hannah Schroeter wrote:
> ...
>> AFS is also encrypted, but unless its used to
>> get all the tarballs and make them accessible locally (e.g. make a cd)
>> it's not a help during the installation.
>
> I don't know enough about AFS to say anything about how to secure it
> from the beginning on.
I'm not very knowledgeable, but have been looking at the documenation
lately:
http://www.openafs.org/pages/doc/AdminGuide/auagd007.htm#HDRWQ75
> ...
>> Given the existence of Windows servers (aka compromised machines) on
>> many networks, there are many chances for traffic to be intercepted,
>> often even DNS. So man-in-the-middle attacks appear to be theoretically
>> easy during the first part of an OpenBSD network installation.
>
> Yes, alas. And especially, for government "legal" interception, where
> they could legally enlist help from ISPs.
So, intentional (corporate or government agreement with ISP) or
unintentional (use of M$ on ISP DNS server), could allow the initial
installation to become compromised, perhaps in a hard-to-detect way.
None of this seems to be solved in the installation guide:
http://openbsd.org/faq/faq4.html
Again, it looks like it might come down to keys or fingerprints and that
the network install might be depreciated. Rather, download, verify,
then install.
-Lars
