Hannah Schroeter wrote: > ... >> AFS is also encrypted, but unless its used to >> get all the tarballs and make them accessible locally (e.g. make a cd) >> it's not a help during the installation. > > I don't know enough about AFS to say anything about how to secure it > from the beginning on.
I'm not very knowledgeable, but have been looking at the documenation lately: http://www.openafs.org/pages/doc/AdminGuide/auagd007.htm#HDRWQ75 > ... >> Given the existence of Windows servers (aka compromised machines) on >> many networks, there are many chances for traffic to be intercepted, >> often even DNS. So man-in-the-middle attacks appear to be theoretically >> easy during the first part of an OpenBSD network installation. > > Yes, alas. And especially, for government "legal" interception, where > they could legally enlist help from ISPs. So, intentional (corporate or government agreement with ISP) or unintentional (use of M$ on ISP DNS server), could allow the initial installation to become compromised, perhaps in a hard-to-detect way. None of this seems to be solved in the installation guide: http://openbsd.org/faq/faq4.html Again, it looks like it might come down to keys or fingerprints and that the network install might be depreciated. Rather, download, verify, then install. -Lars