On Thu, Jul 17, 2008 at 11:30:12AM -0400, Micah Anderson wrote:
Although PGP-signed Release file prevent tampering with files, the attack doesn't require tampering with files or tampering with signed release files. If I were to MitM security.debian.org, I could provide an outdated (yet properly signed) mirror of the security packages to you. I would simply supply, via a MitM, a mirror that was not updated, so that the packages you were getting were valid and signed. They just are out-dated, so that you would not receive critical security upgrades.
Sure. Luckily we have multiple channels by which information about security updates is distributed, so people will know if they are missing updates. Note that you will have to MITM multiple servers as security.debian.org is a round robin, and any update of the Packages will invalidate older versions.
Following on that attack is the fact that its easy to join the mirror network and once you are in, you can do the same thing as above and keep your mirror a day or four out of date, so that people who use your mirror aren't getting updates for issues that enter through the normal channels. You also have a list of IPs that use your mirror that don't have these updates.
It is not easy to become a security mirror. Becoming a non-security mirror doesn't lead to obviously interesting attack. Unless you're talking about people tracking unstable, but in my experience people tracking unstable notice if a day passes without updates...
Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
