[Cryptography] Kali Linux security is a joke!

Henry Baker hbaker1 at pipeline.com
Wed Mar 18 08:39:06 EDT 2015

At 12:31 PM 3/17/2015, Alfie John wrote:
>On Wed, Mar 18, 2015, at 05:32 AM, Viktor Dukhovni wrote:
>> On Mon, Mar 16, 2015 at 12:07:08PM -0700, Henry Baker wrote:
>> > So how come whenever you do apt-get in Kali Linux, it accesses
>> > http://security.kali.org and http://http.kali.org
>> All Debian-style repositories use HTTP, not HTTPS which makes them to
>> mirror.  The Release files are GPG signed by the distribution
>> maintainers.  The distribution keys should be part of the base
>> installation media.  Of course if you bootstrap via PXE, your MiTM
>> attack starts there (the turtle at the bottom of the stack).
>> > Hasn't Kali heard about MITM attacks against http.
>> I would take some time to study the "apt" security model.  It is not
>> perfect, but the use of http is not a significant problem.
>An issue with HTTP for apt is information leak.  People listening on the
>wire will know what software you're installing on machines.

Another issue with HTTP is denial-of-service.  NSA/GCHQ routinely
hijack HTTP for MITM, but even when they can't serve up properly
signed package files, they can make pretty sure that their victims
can't get the properly-signed files from the proper server, either.

Thus, since so many of the recent package updates & upgrades have
to do with security issues (Heartbleed, etc.), NSA/GCHQ can deny
their victims the opportunity to upgrade their security.

More information about the cryptography mailing list