[Cryptography] Kali Linux security is a joke!
Jim Gettys
jg at freedesktop.org
Fri Mar 20 11:49:38 EDT 2015
On Thu, Mar 19, 2015 at 3:42 PM, Rob Meijer <pibara at gmail.com> wrote:
>
> 2015-03-16 20:07 GMT+01:00 Henry Baker <hbaker1 at pipeline.com>:
>
>> FYI --
>>
>> http://docs.kali.org/category/introduction
>>
>> "Downloading Kali Linux"
>>
>> "Alert! Always make certain you are downloading Kali Linux from official
>> sources, as well as verifying md5sums against official values. It would be
>> easy for a malicious entity to modify a Kali install to contain malicious
>> code, and host it unofficially."
>> ---
>>
>> No kidding!
>>
>> So how come whenever you do apt-get in Kali Linux, it accesses
>> http://security.kali.org and http://http.kali.org ??
>>
>> Hasn't Kali heard about MITM attacks against http ??
>>
>>
> Packaging security should be packager to user, not http(s) server to
> http(s) client. Any packaging integrity system relying on 600+ CA's to be
> uncompromised in inherently flawed.
>
Which is why the Debian package system does *not* depend on https at all;
it checks the gpg signatures on the packages of the software feeds you have
configured.
See: https://wiki.debian.org/SecureApt
The only reason I can see to run https is to avoid leaking what packages
are being used by people doing updates. That is sufficient reason, in my
view, to do so.
- Jim
>
>
>
>
>> What's the point of verifying md5sums against official values, if Kali
>> can't even get the "official values" securely ??
>>
>> _______________________________________________
>> The cryptography mailing list
>> cryptography at metzdowd.com
>> http://www.metzdowd.com/mailman/listinfo/cryptography
>>
>
>
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150320/1f4b02e9/attachment.html>
More information about the cryptography
mailing list