[Cryptography] Kali Linux security is a joke!

Viktor Dukhovni cryptography at dukhovni.org
Tue Mar 17 14:32:37 EDT 2015

On Mon, Mar 16, 2015 at 12:07:08PM -0700, Henry Baker wrote:

> So how come whenever you do apt-get in Kali Linux, it accesses
> http://security.kali.org and http://http.kali.org

All Debian-style repositories use HTTP, not HTTPS which makes them
to mirror.  The Release files are GPG signed by the distribution
maintainers.  The distribution keys should be part of the base
installation media.  Of course if you bootstrap via PXE, your MiTM
attack starts there (the turtle at the bottom of the stack).

> Hasn't Kali heard about MITM attacks against http.

I would take some time to study the "apt" security model.  It is
not perfect, but the use of http is not a significant problem.


More information about the cryptography mailing list