[liberationtech] secure download tool - doesn't exist?!?
Jonathan Wilkes
jancsika at yahoo.com
Wed Jul 3 11:26:11 PDT 2013
On 07/03/2013 04:47 AM, intrigeri wrote:
> Hi,
>
> Jonathan Wilkes wrote (02 Jul 2013 21:57:01 GMT) :
>> On 07/02/2013 12:46 PM, Jonathan Wilkes wrote:
>>> On 07/02/2013 04:51 AM, intrigeri wrote:
>>>> + verify that the signed file you've downloaded is actually the
>>>> version you intended to download, and not an older, also properly
>>>> signed one.
> [...]
>>> Does Debian's "Valid-Until" field in the release files solve this problem?
>> After getting some help on #debian-apt, I can at least say that the "Valid-Until"
>> field in the release file for Debian security updates is indeed intended to address
>> replay attacks.
> The Valid-Until mechanism (when it's used by the APT repository at
> all) typically ensures an attacker can't hide available security
> updates for more than a week.
You say "when it's used at all":
My understanding is that it's used for security updates (and possibly
some other repos), and not used for stable releases. Are there security
updates that don't use "Valid-Until"?
The remaining question is this: what is an example of a potential attack
that
exploits the absence of a "Valid-Until" header in a stable release? A
stable version
of Debian is canonical, so there is nothing for an attacker to replay
unless
it's from a previous version of Debian which has a different key and,
therefore,
would set off alarm bells from apt.
-Jonathan
> This is sometimes good enough.
>
> Cheers,
> --
> intrigeri
> | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
> | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
> --
> Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
More information about the liberationtech
mailing list