"Brian May" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
Joe Smith wrote:
However, if the security updates come from trusted security mirrors
rather than
a general mirror, that attack would fail too. So with the exception of
Sid or
Testing users that do not use the testing-security system to receive
security
updates, Debian really is not terribly vulnerable to this.
It would still be possible to mount this attack if the attacker can
intercept packets on the way to the official trusted security mirror and
redirect them (e.g. transparent proxy) to an older copy of the mirror.
Well that is true. It is however, more difficult to pull off than the
get-an-offical-mirror-and-run-a-replay-attack described in the article.
Anybody could do what is described in the article with little difficulty. It
is far more difficult to set-up packet interception.
Use of https on the security mirror should virtually elimate the
Man-in-the-middle risk.
I think that would make stable imune to security replay attacks.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
