On Wed, 5 Sep 2012 16:49:34 -0430 Andres Perera wrote: > On Wed, Sep 5, 2012 at 4:06 PM, Kevin Chadwick <ma1l1i...@yahoo.co.uk> wrote: > > On Wed, 5 Sep 2012 15:49:15 -0430 > > Andres Perera wrote: > > > >> doesn't in any way justify > >> downloading sha256 from more than one mirror from the same connection, > >> kevin > > > > It does if a lower tier has been compromised and I never said from the > > same connection. > > i don't think anybody is talking about such attacks. the subject has > clearly been mitm the whole time, since it's by far the easier attack >
Surely that depends on the networks, if your using OpenBSD it's quite likely the other end which is more likely mitm or compromised, which is half my point for many reasons. I'll admit crap routers are almost everywhere though. The ops mail "Is there any way to verify that distribution sets and packages that I have downloaded have not been tampered with (e.g., by someone with access to the mirror from which I downloaded them)?" > > > > You must be one of them body language reading fools ;-) > > That was a joke due to your patronising, Andres. > > no, the number of mirrors is never a factor. you are just copping out > Of course it is, less likely these days but for non local mitm the mirrors may be in different directions not crossing the attackers path. > and if you rely on the vast amount of data to weed out attackers that > wouldn't waste the bandwidth it takes to replicate an obsd mirror, you > aren't considering applications that divert on layer 7. ftp-proxy is > an example. make an http/ftp session to the real server and only > intercept GETs you care about Where did that come from, my mention of checksums being possibly noticed when wrong as has occured in ports maliciously and happens when the mirrors are out of sync for snapshots?
