Hacker News new | ask | show | jobs
by bitexploder 3205 days ago
That is basically the same as trusting `apt install`. We just hope apt repo maintainers have higher levels of opsec.

Most trust on a typical Ubuntu install, for example, is still chained back to an TLS download of an ISO (or maybe torrent file). That bootstraps your repo public keys.
2 comments
aeroevan 3205 days ago
You should always be verifying your downloads:

https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify...

link
bitexploder 3205 days ago
I have done this before. But if you are actually MiTM downloading the GPG sums from the same source as your ISO is a little pointless. That is the problem, how do you bootstrap the trust? It all still just goes back to TLS and the CA.

You can check the sums over time and acquire them using multiple connections to verify they are all the same to gain a higher level of confidence, but this is actually annoying for someone with a high level of technical skill and basically impossible for most people. I only do this for things that require the highest levels of operational security, like, say, if I am setting up a system to sign certificates in a CA or something.

A slightly easier approach is to strip down your CAs to a bare minimum in your browser config, and double check the certificates being presented on TLS download sites. You can still be owned by a MiTM if the CAs actively collude with a nation state and have given them signing keys, but... there isn't much to do about that. The options really aren't that great in terms of really verifying things.

link
AstralStorm 3205 days ago
And the security of the developer who signed the package too?
link
bitexploder 3205 days ago
And we are back to Thompson, basically. :)
link
sneak 3204 days ago
> We just hope apt repo maintainers have higher levels of opsec.

They do.

link