m8il1i...@gmail.com (Kevin Chadwick), 2018.02.21 (Wed) 19:07 (CET): > On Wed, 21 Feb 2018 10:10:30 +0100 > > > > I know this is a little bit farfetched, pardon my ignorence, but > > OpenBSD seeems vulnerable on first installation. In case of DNS > > poisoning, what can stop a virus from forwarding the installer to a > > false SHA256.sig and false repository? My guess would be to use > > DNSSEC and a local copy of an OpenBSD repository to avoid such issue. > > > > If you boot an unverified iso, then what is to stop it replacing your > bios? > > Authentication is always boot strapped by manual processes, including > your resolver key! Also DNSSEC is rarely used and mostly RSA 1024 bit. > > ecdsa will hopefully get more adoption than RSA has depite I believe > persisting to enable amplification albeit to a far smaller degree. > > T-shirts of keys were made and can be found in various places including > youtube, worn by developers etc., so that you can verify the iso file > before booting it.
https://marc.info/?m=151103166108846 http://www.ebay.ca/itm/Official-OpenBSD-6-2-CD-Set/253265944606 https://i.ebayimg.com/images/g/fS4AAOSwH-daEH6S/s-l1600.jpg yet another source to compare ;-) Marcus
