hecklist
- https://wiki.debian.org/Hardening
Alfie
--
Alfie John
alf...@fastmail.fm
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
https://lists.debian.org/1430
On Sat, May 31, 2014, at 12:39 AM, Michael Stone wrote:
> On Sat, May 31, 2014 at 12:32:59AM +1000, Alfie John wrote:
> >I'm definitely wanting to engage in serious discussion. I'm an avid
> >Debian user and am wanting to protect its users. This *is* the Debian
> >
On Sat, May 31, 2014, at 12:11 AM, Michael Stone wrote:
> On Fri, May 30, 2014 at 11:50:32PM +1000, Alfie John wrote:
> >Several times (public and private) I tried to explain how the
> >download of APT (the binary itself) on an initial Debian install
> >could be compromise
ust look over at our security tracker
> and find that this package has an exploit...
It's only metadata, so who cares right? Only kidding. This is a totally
legitimate scenario which I didn't think of. Nice.
Alfie
--
Alfie John
alf...@fastmail.fm
--
To UNSUBSCRIBE, em
tried to explain how the download
of APT (the binary itself) on an initial Debian install could be
compromised via MITM since it's over plaintext. Then the verification of
packages could simply be skipped (hence NOP). I'm not sure why you're
bringing libc and libgpg into the conversat
On Fri, May 30, 2014, at 11:29 PM, Michael Stone wrote:
> On Fri, May 30, 2014 at 11:25:58PM +1000, Alfie John wrote:
> >Well yes, that's something. But serving Debian over HTTPS would prevent
> >the need for this.
>
> No, it wouldn't--you'd just have a d
e who
> actually trust the CA system.
That was my next question. If the fingerprints are on a HTTPS served
page, then yes that seems like a valid solution.
And thanks Reid Sutherland for telling me I have no clue. Much
appreciated.
Alfie
--
Alfie John
alf...@fastmail.fm
--
To UNSUBSCR
On Fri, May 30, 2014, at 11:24 PM, Michael Stone wrote:
> On Fri, May 30, 2014 at 11:13:31PM +1000, Alfie John wrote:
> >As what I posted earlier, all you would need to do is to MITM the
> >install of APT during an install. Who cares what the signatures look
> >like s
can be flawed and nobody bats an eye, APT uses GnuPG and
> everyone (this guy) loses their mind?
Strawman much? What does bring up OpenSSL have anything to do with
Debian mirrors being MITM?
Alfie
--
Alfie John
alf...@fastmail.fm
--
To UNSUBSCRIBE, email to debian-security-requ...@li
On Fri, May 30, 2014, at 11:03 PM, Estelmann, Christian wrote:
> In Oct 2013 a similar discussion startet
> https://lists.debian.org/debian-security/2013/10/msg00027.html
Thanks for the link, but that discussion went nowhere pretty fast.
Alfie
--
Alfie John
alf...@fastmail.fm
an install. Who cares what the signatures look
like since you've NOPed the checksumming code!
Alfie
--
Alfie John
alf...@fastmail.fm
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
ting HTTPS, it would prevent QuantumInsert and FoxAcid being
implemented during Debain installs and later package installs/updates.
If you're worried about SSL certificates being compromised, going down
the path of Debian self-signing its own certificate and distributed it
via SneakerNet would be a
On Fri, May 30, 2014, at 10:43 PM, Alfie John wrote:
> > The cryptographic signatures that are validated automatically by apt.
>
> What's stopping the attacker from serving a compromised apt?
Thinking about this more, If I wanted to target a Debian system via
MITM, serving
On Fri, May 30, 2014, at 10:24 PM, Michael Stone wrote:
> On Fri, May 30, 2014 at 10:15:01PM +1000, Alfie John wrote:
> >The public Debian mirrors seem like an obvious target for governments to
> >MITM. I know that the MD5s are also published, but unless you're
> >verifyi
rties, what's stopping the MD5s being
compromised too?
Is there any compelling reason why the public Debian mirrors aren't
served over HTTPS? If there isn't any, then further to this, is there
any reason why not to mandate all public Debian mirrors HTTPS-only?
Alfie
--
Alfie John
15 matches
Mail list logo
