On 8/7/20 2:56 PM, 'awokd' via qubes-users wrote:
fiftyfourthparal...@gmail.com:
Right now my plan is to take the output of 'rpm -qa' or 'yum list
installed' and compare it via some sort of 'match' or 'crosscheck' function
to a repo list pulled from somewhere secure (i.e. not tampered with by
potential adversaries) and maybe imported into dom0 from a specialized
secure appVM, creating a security tradeoff.
"[P]ulled from somewhere secure"- if the concern is someone tampering
with your HTTPS traffic in particular, you will probably want to use a
different method of obtaining the repo list. Tor might work.
I think this is only properly done via a trusted .onion address, i2p
address, etc... Unless Tor's DNS lookups have been improved since the
last time I checked.
Just for reference here, threat model I'm thinking of here is when an
attacker tries to MiTM while having the cooperation of the certificate
authority.
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/fb3c89f6-8e3b-073a-559b-f80e30d331c3%40posteo.net.
