Users can choose their favorite mirror for package updates of Debian and Ubuntu, but everyone is funneled through security.debian.org or security.ubuntu.com for security updates.
This seems like a bad idea. An attacker can deny a user access to security updates by attacking the user's DNS, preventing them from resolving security.{...}, or redirecting it to a site not containing a security update the attacker intends to exploit. Attacking DNS to prevent or spoof the resolution of just one name seems easier than preventing the resolution of every possible mirror (including unpublished ones) a user might have chosen.
Furthermore, an attacker eavesdropping DNS can estimate who has taken security updates and who hasn't (and target the latter for attack) by monitoring who resolves and accesses security.{...}.
No comments :
Post a Comment