Djones Boni: > On 30-10-2013 11:05, Celejar wrote: >> You're snipping crucial context; my comment above was in response to >> this: >>> For apt-get a self-signed certificate could be used which comes together >>> with Debian. No CA required. This is both simpler and safer. >> I was pointing out that this comment makes no sense in the context of >> apt-get. It sounds like you're referring to the website or email system. > I am talking about updates. > > Yes. Apt uses OpenPGP to verify the integrity and authenticity of the > packages it downloads. > But how does apt get these packages? Over insecure HTTP. > > Hacking DNS or MITM attack can hide updates from you or a country. Then > you are vulnerable due out-of-date software and you don't even know > about it.
I think we can refer to the TUF threat model [1] when talking about attacks against package managers. [1] You may have a rollback attacks and/or indefinite freeze attacks in mind. Perhaps others. Tell us. Debian protects against these to some degree, because it uses the valid-until [2] field, which is great. Package lists are valid for two weeks, though. Getting package lists over SSL and/or Tor hidden services could make this even more secure. [1] https://www.updateframework.com/projects/project/wiki/Docs/Security [2] http://blog.ganneff.de/blog/2008/09/23/valid-until-field-in-release-f.html -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52710cc3.5040...@riseup.net
