[pacman-dev] New way to download signing keys prone to MITM attacks?
Manuel Reimer
Manuel.Spam at nurfuerspam.de
Mon Feb 9 22:09:40 UTC 2015
Hello,
today, I was asked for the first time whether I want to download a
signing key. So far this was done using a "keyring" package, which,
itself, was signed using a trusted key.
How do you prevent MITM attacks? For me this seems like anyone, who can
perform a MITM attack, can trick me into installing virtually any
package as long as he signs it with a key somewhere available on a
public keyserver. Of course I would be asked whether I want to import
that key but how do I know if the key is really valid and trusted? My
guess is that most users will just say "yes" in this case.
For me this seems to be a big step backwards in terms of security.
Please correct me if I'm wrong.
Thanks in advance.
Manuel
More information about the pacman-dev
mailing list