[Cryptography] Kali Linux security is a joke!
Jerry Leichter
leichter at lrw.com
Wed Mar 18 14:38:20 EDT 2015
On Mar 18, 2015, at 8:39 AM, Henry Baker <hbaker1 at pipeline.com> wrote:
>> An issue with HTTP for apt is information leak. People listening on the
>> wire will know what software you're installing on machines.
>
> Another issue with HTTP is denial-of-service. NSA/GCHQ routinely
> hijack HTTP for MITM,
HTTP is clear text, they can simply record it. No need for MITM as the term is generally used.
> but even when they can't serve up properly
> signed package files, they can make pretty sure that their victims
> can't get the properly-signed files from the proper server, either.
And this is different from screwing up the HTTPS negotiation as a way to deny service ... how?
I would also be very surprised to learn that anyone has made it a practice to block updates via denial of service. The Western intelligence agencies want to be invisible. Blocking access to updates is anything but. The, err, what's the opposite of "Western" - not really a geographical designation - in this context, other powers don't really care if you know you've been blocked. They are already implementing tons of blocks anyway - if they don't want you going to that update site, adding its name and IP to their block list is trivial.
> Thus, since so many of the recent package updates & upgrades have
> to do with security issues (Heartbleed, etc.), NSA/GCHQ can deny
> their victims the opportunity to upgrade their security.
Do you have *any* evidence of NSA/GCHQ actually doing this?
-- Jerry
More information about the cryptography
mailing list