On 03/14/2017 05:19 PM, cubit wrote:
14. Mar 2017 04:39 by [email protected] <mailto:[email protected]>:GPG is sufficient for verification, although using HTTPS would conceal which software packages you are using GPG does not protect against a MITM downgrade attack to a validly signed but older vulnerable version of a piece of software
It does in a way, if your distro signs a master 'repo' file that is timestamped. Then you can confidently display the date/time or "freshness" of the data to the user. Also, it limits the attacker to holding back the *entire* repository (assuming the user doesn't notice the old date).
This is common and should work because its fairly easy to encounter news about updates out-of-band---plus, user will have expectations about update frequency.
Fedora *unfortunately* is the blacksheep here. It doesn't sign a repo file, therefore an attacker can hold back individual packages withing what appears to the user as a stream of normal update cycles.
Note: Qubes project is interested in getting Debian into dom0. In the meantime, its fairly easy to use Debian for templates.
-- Chris Laprise, [email protected] https://twitter.com/ttaskett -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ee309325-3da2-8cdf-cf17-722b1d1ffeed%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
