Michael Stone <[EMAIL PROTECTED]> writes: > On Thu, Jul 17, 2008 at 11:30:12AM -0400, Micah Anderson wrote: >>Although PGP-signed Release file prevent tampering with files, the >>attack doesn't require tampering with files or tampering with signed >>release files. If I were to MitM security.debian.org, I could provide >>an outdated (yet properly signed) mirror of the security packages to >>you. I would simply supply, via a MitM, a mirror that was not updated, >>so that the packages you were getting were valid and signed. They just >>are out-dated, so that you would not receive critical security >>upgrades. > > Sure. Luckily we have multiple channels by which information about > security updates is distributed, so people will know if they are > missing updates. Note that you will have to MITM multiple servers as > security.debian.org is a round robin, and any update of the Packages > will invalidate older versions.
Or just one DNS server or even just the users client. MfG Goswin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]