[Cryptography] Kali Linux security is a joke!

Jim Gettys jg at freedesktop.org
Fri Mar 20 11:49:38 EDT 2015 

On Thu, Mar 19, 2015 at 3:42 PM, Rob Meijer <pibara at gmail.com> wrote:

>
> 2015-03-16 20:07 GMT+01:00 Henry Baker <hbaker1 at pipeline.com>:
>
>> FYI --
>>
>> http://docs.kali.org/category/introduction
>>
>> "Downloading Kali Linux"
>>
>> "Alert!  Always make certain you are downloading Kali Linux from official
>> sources, as well as verifying md5sums against official values.  It would be
>> easy for a malicious entity to modify a Kali install to contain malicious
>> code, and host it unofficially."
>> ---
>>
>> No kidding!
>>
>> So how come whenever you do apt-get in Kali Linux, it accesses
>> http://security.kali.org and http://http.kali.org ??
>>
>> Hasn't Kali heard about MITM attacks against http ??
>>
>>
> ​Packaging security should be packager to user, not http(s) server to
> http(s) client. Any packaging integrity system relying on 600+ CA's to be
> uncompromised in inherently flawed.
>

​Which is why the Debian package system does *not* depend on https at all;
it checks the gpg signatures on the packages of the software feeds you have
configured.

See: https://wiki.debian.org/SecureApt

The only reason I can see to run https is to avoid leaking what packages
are being used by people doing updates.  That is sufficient reason, in my
view, to do so.
                                          - Jim
​


>>
>
>
>> What's the point of verifying md5sums against official values, if Kali
>> can't even get the "official values" securely ??
>>
>> _______________________________________________
>> The cryptography mailing list
>> cryptography at metzdowd.com
>> http://www.metzdowd.com/mailman/listinfo/cryptography
>>
>
>
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150320/1f4b02e9/attachment.html>

More information about the cryptography mailing list