On Wed, Sep 5, 2012 at 4:06 PM, Kevin Chadwick <ma1l1i...@yahoo.co.uk> wrote: > On Wed, 5 Sep 2012 15:49:15 -0430 > Andres Perera wrote: > >> doesn't in any way justify >> downloading sha256 from more than one mirror from the same connection, >> kevin > > It does if a lower tier has been compromised and I never said from the > same connection.
i don't think anybody is talking about such attacks. the subject has clearly been mitm the whole time, since it's by far the easier attack > > You must be one of them body language reading fools ;-) > no, the number of mirrors is never a factor. you are just copping out and if you rely on the vast amount of data to weed out attackers that wouldn't waste the bandwidth it takes to replicate an obsd mirror, you aren't considering applications that divert on layer 7. ftp-proxy is an example. make an http/ftp session to the real server and only intercept GETs you care about