Hello, On Sat, 2008-07-12 at 23:13 +0000, Joe Smith wrote: > Andrei Popescu <andreimpopescu <at> gmail.com> writes: > > > How about distributing the Release files *only* from a trusted server?
> The other attack I mentioned (the attack of attempting to exploit a flaw in > any > client that requests a security update) cannot be fixed in the general case, > except by clients using a trusted server, or a trusted proxy that does not > reveal the true requesting system's IP. > Stable is safe because the security servers are trusted. Users of testing or > sid > should choose servers they trust or some form of trusted proxy. Stable is safe... as long as there's no man-in-the middle attack (e.g like a public wireless access-point with a transparent http proxy, if it's used over a long period of time). If we also consider the fact that the computer local time might be wrong (hwclock bug + a ntp man-in-the-middle...), re-signing the files doesn't help either [in this very specific case]. One costly solution would be to get the client the send a challenge to a trusted server, which would respond by gpg-signed the challenge + the checksum of current .Release file. Franklin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
