Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] secure download tool - doesn't exist?!?

Jonathan Wilkes jancsika at yahoo.com
Wed Jul 3 11:26:11 PDT 2013


On 07/03/2013 04:47 AM, intrigeri wrote:
> Hi,
>
> Jonathan Wilkes wrote (02 Jul 2013 21:57:01 GMT) :
>> On 07/02/2013 12:46 PM, Jonathan Wilkes wrote:
>>> On 07/02/2013 04:51 AM, intrigeri wrote:
>>>> + verify that the signed file you've downloaded is actually the
>>>>     version you intended to download, and not an older, also properly
>>>>     signed one.
> [...]
>>> Does Debian's "Valid-Until" field in the release files solve this problem?
>> After getting some help on #debian-apt, I can at least say that the "Valid-Until"
>> field in the release file for Debian security updates is indeed intended to address
>> replay attacks.
> The Valid-Until mechanism (when it's used by the APT repository at
> all) typically ensures an attacker can't hide available security
> updates for more than a week.

You say "when it's used at all":

My understanding is that it's used for security updates (and possibly
some other repos), and not used for stable releases.  Are there security
updates that don't use "Valid-Until"?

The remaining question is this: what is an example of a potential attack 
that
exploits the absence of a "Valid-Until" header in a stable release? A 
stable version
of  Debian is canonical, so there is nothing for an attacker to replay 
unless
it's from a previous version of Debian which has a different key and, 
therefore,
would set off alarm bells from apt.

-Jonathan

> This is sometimes good enough.
>
> Cheers,
> --
>    intrigeri
>    | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
>    | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
> --
> Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
>




More information about the liberationtech mailing list