Date: Thu, 24 Dec 2009 19:55:29 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: QIU Quan <jackqq@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Are source updating mechanisms vulnerable to MITM attacks? Message-ID: <4B33C731.9030909@infracaninophile.co.uk> In-Reply-To: <53a565700912240020s7476721egca5d7801ffcd2bb7@mail.gmail.com> References: <53a565700912240020s7476721egca5d7801ffcd2bb7@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig175B4A5CF0C9616C79FBBE55 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable QIU Quan wrote: > It seems CVSup uses clear text, with neither server authentication as > SSH nor message authentication as PGP. >=20 > Is it possible to poison the DNS records and fire a man-in-the-middle > attack against the source updating procedure? In principle, yes. There have been no reports of this happening in the w= ild however. > It seems portsnap uses a public key to verify downloads. >=20 > Are there some source updating mechanisms with authentication or verifi= cation? freebsd-update(8), freebsd-update.conf(5) You can use this just to pull = down the system sources I believe, but only for release branches, not for -CUR= RENT or -STABLE. Installing from the cryptographically checksummed release .iso images, an= d then only applying the updates from the PGP signed advisory messages and patches? Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enig175B4A5CF0C9616C79FBBE55 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkszxzcACgkQ8Mjk52CukIyfTACfQrbMnMz7Hx8JV5uUwyWGGWsx riEAoIiXUqGXmEYSkpa/rq81j+nOtvnV =EEKQ -----END PGP SIGNATURE----- --------------enig175B4A5CF0C9616C79FBBE55--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B33C731.9030909>