maemo.org - Talk - View Single Post - Meego Security and android rootkits

zimon	2010-09-19 , 14:22
Posts: 1,341 \| Thanked: 708 times \| Joined on Feb 2010	#9

Originally Posted by allnameswereout

We usually include checksums of .deb packages in the Debian world, just like the BSD world does with their .tgz Ports.

APT does have a GPG backend to authenticate repositories. If you then download from e.g. HTTPS you are secure against MITM attacks on network layer, and package layer (provided the certificates are checked). It is still possible for hostile code to be inside a package no matter if it is a .deb or .rpm.

Not going to go into an another debrpm-debate, but have to point out checksumming without cryptographic signature is pointless in the MITM attack. GPG-authencity checking without public key verifying against some web-of-trust is also almost pointless in a MITM attack.

Using HTTPS is not always good enough protection against MITM-attack, and we know everyone is just wget'ing, ftp'ing, bluetooth-OBEX'ing and USB-stick'ing deb packages to their machines and installing with 'dpkg -i' without retrieving and getting the GPG-signature. Having GPG-signature embedded in the software package and automatically enforcing to check against them (using keyrings) protects at least on some level us (all) lazy people.

With GPG-signatures, we at least know who we maybe are able to blame when the **** hits the fan.

Quote & Reply |

The Following User Says Thank You to zimon For This Useful Post:
tentpole