From owner-freebsd-questions@FreeBSD.ORG  Thu Dec 24 08:47:44 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 002631065692
	for <freebsd-questions@freebsd.org>;
	Thu, 24 Dec 2009 08:47:43 +0000 (UTC)
	(envelope-from jackqq@gmail.com)
Received: from mail-px0-f190.google.com (mail-px0-f190.google.com
	[209.85.216.190])
	by mx1.freebsd.org (Postfix) with ESMTP id CD49F8FC1B
	for <freebsd-questions@freebsd.org>;
	Thu, 24 Dec 2009 08:47:43 +0000 (UTC)
Received: by pxi28 with SMTP id 28so5336004pxi.7
	for <freebsd-questions@freebsd.org>;
	Thu, 24 Dec 2009 00:47:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:received:from:date:message-id
	:subject:to:content-type:content-transfer-encoding;
	bh=hLaLOziH3me4a9lOy1b4mKH6cYU6c8tApepDvC5PGPc=;
	b=L65+vSYgiNxwm8Khb0f6tlVMQFzGRaaw/zQ9ECEYmh3DgG1fBGSKgwvQb2HP01R2Gi
	42B8WlvcOTruTgNfPPwqkMrw/NwyNNxb+G0xP+Tuif92J3sTy4pR0mD1J7Cj54rkjTXH
	+rIWW4BlwBFwYEqWEz1YUXwsUDTydPtSfFVlc=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:from:date:message-id:subject:to:content-type
	:content-transfer-encoding;
	b=wLxqsPdEvl9aLpOUuRxcinD6JJy3E4x8a4uvUFLoXp4ElUTXToj309G+EVJjZBcIR6
	FcG6HHZtdjJ7vgFAuBlFKEaT1gbotgjK6wX6DMeS032nM8u/JyWxLpl//PHM8dkQCh3+
	xQy+8/+JmXlqmFx0nZ3KHw+45iaWm/JkOMxCw=
MIME-Version: 1.0
Received: by 10.142.8.35 with SMTP id 35mr7628817wfh.30.1261642828607; Thu, 24 
	Dec 2009 00:20:28 -0800 (PST)
From: QIU Quan <jackqq@gmail.com>
Date: Thu, 24 Dec 2009 16:20:08 +0800
Message-ID: <53a565700912240020s7476721egca5d7801ffcd2bb7@mail.gmail.com>
To: freebsd-questions@freebsd.org
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Are source updating mechanisms vulnerable to MITM attacks?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Dec 2009 08:47:44 -0000

It seems CVSup uses clear text, with neither server authentication as
SSH nor message authentication as PGP.

Is it possible to poison the DNS records and fire a man-in-the-middle
attack against the source updating procedure?

It seems portsnap uses a public key to verify downloads.

Are there some source updating mechanisms with authentication or verificati=
on?

Thanks.

--=20
=E8=A3=98=E4=BD=BA (QIU Quan) <jackqq@gmail.com>