On 05/15/2015 02:49 PM, Matthew Miller wrote:
> On Fri, May 15, 2015 at 03:44:39PM -0400, James B. Byrne wrote:
>> What are the plans for the CentOS repos with respect to authentication
>> and https everywhere? At the moment it is a trivial exercise to
>> perform a MTM attack during a yum update over http.
>
> Since the packages themselves are signed, what risk are you concerned
> about?
>
Not only are the packages signed, but we're now offering signed
repository metadata as well.
HTTPS is an incremental improvement, but is by no means a silver bullet.
Look at the superfish fiasco if anyone thinks otherwise.
The other side to this is many people update from outside .centos.org.
Who's cert would you use for mirrors.kernel.org/centos/7/os/x86_64/ for
example?
--
Jim Perrin
The CentOS Project | http://www.centos.org
twitter: @BitIntegrity | GPG Key: FA09AD77
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
