Foiling MITM attacks on source and ports trees
Matt
datahead4 at gmail.com
Fri Jan 2 17:50:50 UTC 2009
On Fri, Jan 2, 2009 at 10:44 AM, cpghost <cpghost at cordula.ws> wrote:
> Hello,
>
> with MITM attacks [1] on the rise, I'm concerned about the integrity
> of local /usr/src, /usr/doc, and /usr/ports trees fetched through csup
> (and portsnap) from master or mirror servers.
>
> [1] http://en.wikipedia.org/wiki/Man-in-the-middle_attack
>
> There's already a small protection against MITM on the distfiles in
> ports: distinfo contain md5 and sha256 digests. This is an excellent
> idea that could be extended to *all* files in /usr/src, /usr/doc, and
> /usr/ports.
>
Something like this was discussed back in September:
http://lists.freebsd.org/pipermail/freebsd-hackers/2008-September/026052.html
I haven't tried Max's script yet, but it looks like it should do at
least some of what you're looking for.
Matt
More information about the freebsd-questions
mailing list