Re: trust update servers?

On Sat, 29 Sep 2007, houghi wrote:-

David Bolt wrote:

Not themselves. Doesn't mean that someone couldn't hack a mirror, and
make all the required changes to the various files just so they can add
their own key as a replacement. Of course, once the replacement key is
imported and trusted...

Also more of a theoretical then a real thread.

Definitely.

The person then also
should be hacking the whole rsync process, so that the fake key and all
the other fake code won't be overwritten.

To protect their added extras, they'd need to somehow add the --exclude
option however many times is required to the rsync command. This is
likely to be possible, as the synching is likely to be done using a
cron-job. Then, it's a simple matter of changing the content file and
replacing the content.key and media.1/products.key files, re-signing
content and media.1/products and they're done.

Is it possible? Yes. Is it likely that it will go unnnoticed? No.

It might be unnoticed for a short time, an extremely short time, by
those that do network installs and use download.opensuse.org as their
installation source. Those that just add it as a repo possibly won't see
the change. They might see the "import key" dialog box, but most people
are likely to just import the key without checking.

Obviously these are the mirrors. It becomes different if you put a repo
online yourself.

Well, if they hack the server and use the above method, they then become
a repo masquerading as a mirror.

However, this is all hypothetical. I don't think it's likely to happen
in the real world.


Regards,
David Bolt

--
Member of Team Acorn checking nodes at 100 Mnodes/s: www.distributed.net
RISC OS 3.11 | SUSE 10.0 32bit | SUSE 10.1 32bit | openSUSE 10.2 32bit
RISC OS 3.6 | SUSE 10.0 64bit | SUSE 10.1 64bit | openSUSE 10.2 64bit
TOS 4.02 | SUSE 9.3 32bit | | openSUSE 10.3b2 32bit
.