From owner-freebsd-questions@FreeBSD.ORG Sun Jan 4 00:20:32 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9CFD81065749 for ; Sun, 4 Jan 2009 00:20:32 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-ew0-f21.google.com (mail-ew0-f21.google.com [209.85.219.21]) by mx1.freebsd.org (Postfix) with ESMTP id 0744E8FC13 for ; Sun, 4 Jan 2009 00:20:31 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: by ewy14 with SMTP id 14so8202656ewy.19 for ; Sat, 03 Jan 2009 16:20:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:subject :message-id:in-reply-to:references:x-mailer:mime-version :content-type:content-transfer-encoding; bh=XAnuUd9r+ArN5Ryi6wNgZ0wZ597QrR0gJHsxH+jdVV4=; b=LYj6ybnmBjUMro7XN9K3el3hiKaTSeNpS5Bqv5KP1vk4eQkY8p4i0z3nmIOxsAInMx 6nRqgbLNQ5Bb4qZwDqKTxjYyXy5Pqgdn4d4HUgiF1QoSjf6xyCNlNsppKx+wVm+dydRi KK8y5Ni280ssk6dpFMIQv6KgjGZBDjsnpId1U= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=date:from:to:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type:content-transfer-encoding; b=hpzP9txPMMQurK1VduhYGk01tlgODuGUhs73eSPb6Ajdj8TneHrek9QqLij5BJ9Kdk 4g4VbxheXOEw3glWQJfD/DrztyDfGWAAT1OVQ0M4OQe642D38LPNxbn0/6knkIdBk1m2 JPonYEbQAKfB2EzntmuCN7JTTEmPWXzSVittg= Received: by 10.210.10.1 with SMTP id 1mr3184351ebj.64.1231028430868; Sat, 03 Jan 2009 16:20:30 -0800 (PST) Received: from gumby.homeunix.com (bb-87-81-140-128.ukonline.co.uk [87.81.140.128]) by mx.google.com with ESMTPS id y34sm41839743iky.13.2009.01.03.16.20.28 (version=SSLv3 cipher=RC4-MD5); Sat, 03 Jan 2009 16:20:30 -0800 (PST) Date: Sun, 4 Jan 2009 00:20:23 +0000 From: RW To: freebsd-questions@freebsd.org Message-ID: <20090104002023.51c7fe5a@gumby.homeunix.com> In-Reply-To: <20090103184659.GB1253@phenom.cordula.ws> References: <20090102164412.GA1258@phenom.cordula.ws> <495E4F24.80209@unsane.co.uk> <20090103013825.18910bf5@gumby.homeunix.com> <20090103184659.GB1253@phenom.cordula.ws> X-Mailer: Claws Mail 3.5.0 (GTK+ 2.12.11; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: Foiling MITM attacks on source and ports trees X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Jan 2009 00:20:32 -0000 On Sat, 3 Jan 2009 19:46:59 +0100 cpghost wrote: > On Sat, Jan 03, 2009 at 01:38:25AM +0000, RW wrote: > > On Fri, 02 Jan 2009 17:30:12 +0000 > > Vincent Hoffman wrote: > > > Admittedly this doesn't give a file by file checksum > > > > That's not really a problem, it's no easier to create a collision > > in a .gz file than a patch file. > > > > The more substantial weakness is that the key is verified against a > > hash stored on the original installation media. If someone went to > > the trouble of diverting dns or routing to create a fake FreeBSD > > site they would presumably make it self-consistent down to the ISO > > checksums. > > That's why I suggested that the list of checksums be digitally signed > by a private key belonging to The FreeBSD Project. It is assumed that > getting the corresponding public key would be possible by other means > not susceptible to MITM attacks (e.g. through endless replication all > over the net, fingerprint in books etc...). My point is that having signed updates etc (which is essentially what freebsd-update and portsnap do) is undermined if the original iso is not obtained securely. Currently that appears to be the weakest link.