Can Network Attacker Downgrade Dependency Install Security?
From the ooni-backend readme:
pip install -r requirements.txt --use-mirrors
# Note: it is important that you install the requirements before you run
# the setup.py script. If you fail to do so they will be downloaded over
# plaintext.
python setup.py install
What happens if an attacker is MITMing the network connection, and they make one package inaccessible during the pip install, but allow setup.py to download it. Will it fall back to an insecure connection, allowing the attacker to modify the code?
Trac:
Username: earthrise