Foiling MITM attacks on source and ports trees
RW
rwmaillists at googlemail.com
Sat Jan 3 01:38:36 UTC 2009
On Fri, 02 Jan 2009 17:30:12 +0000
Vincent Hoffman <vince at unsane.co.uk> wrote:
> Admittedly this doesn't give a file by file checksum
That's not really a problem, it's no easier to create a collision
in a .gz file than a patch file.
The more substantial weakness is that the key is verified against a
hash stored on the original installation media. If someone went to the
trouble of diverting dns or routing to create a fake FreeBSD site they
would presumably make it self-consistent down to the ISO checksums.
More information about the freebsd-questions
mailing list