[Cryptography] Kali Linux security is a joke!
Henry Baker
hbaker1 at pipeline.com
Wed Mar 18 08:39:06 EDT 2015
At 12:31 PM 3/17/2015, Alfie John wrote:
>On Wed, Mar 18, 2015, at 05:32 AM, Viktor Dukhovni wrote:
>> On Mon, Mar 16, 2015 at 12:07:08PM -0700, Henry Baker wrote:
>>
>> > So how come whenever you do apt-get in Kali Linux, it accesses
>> > http://security.kali.org and http://http.kali.org
>>
>> All Debian-style repositories use HTTP, not HTTPS which makes them to
>> mirror. The Release files are GPG signed by the distribution
>> maintainers. The distribution keys should be part of the base
>> installation media. Of course if you bootstrap via PXE, your MiTM
>> attack starts there (the turtle at the bottom of the stack).
>>
>> > Hasn't Kali heard about MITM attacks against http.
>>
>> I would take some time to study the "apt" security model. It is not
>> perfect, but the use of http is not a significant problem.
>
>An issue with HTTP for apt is information leak. People listening on the
>wire will know what software you're installing on machines.
Another issue with HTTP is denial-of-service. NSA/GCHQ routinely
hijack HTTP for MITM, but even when they can't serve up properly
signed package files, they can make pretty sure that their victims
can't get the properly-signed files from the proper server, either.
Thus, since so many of the recent package updates & upgrades have
to do with security issues (Heartbleed, etc.), NSA/GCHQ can deny
their victims the opportunity to upgrade their security.
More information about the cryptography
mailing list