[Cryptography] Kali Linux security is a joke!
Viktor Dukhovni
cryptography at dukhovni.org
Wed Mar 18 13:36:16 EDT 2015
On Wed, Mar 18, 2015 at 05:39:06AM -0700, Henry Baker wrote:
> Another issue with HTTP is denial-of-service. NSA/GCHQ routinely
> hijack HTTP for MITM, but even when they can't serve up properly
> signed package files, they can make pretty sure that their victims
> can't get the properly-signed files from the proper server, either.
Sending a TCP RST is just as easy for HTTPS as for HTTP. TLS does
not authenticate the signalling at the transport layer.
On Tue, Mar 17, 2015 at 09:14:06PM -0700, Ray Dillinger wrote:
> > Hasn't Kali heard about MITM attacks against http ??
>
> I see that they also haven't heard about cryptographic attacks on MD5.
For a user who's just comparing the MD5 checksum of the software
downloaded, with the MD5 checksum published by the maintainers and
not using anything stronger, MD5 is just fine. Second preimages
for MD5 are still difficult IIRC.
If there are significant security issues with Kali, publishing MD5
checksums on their website and offering repositories via HTTP are
not the droids you're looking for.
--
Viktor.
More information about the cryptography
mailing list