unSpawn: Many people acquire and update their OS via insecure methods, after that their OS is insecure.
Raspberry Pi infrastructure currently supports MITM attacks.
If RaspberryPi implements my simple suggestions, such attacks would be greatly reduced.
If the RaspberryPi repositories prevent users from downloading their GPG key from HTTP, (and display a warning instead) then people can't post suggestions like
wget
http://raspberry-foo -O - | apt-key add -
Because people will reply saying it doesn't work.
If someone is being subjected to a MITM attack, they will of course find that their request for a GPG key via HTTP succeeds (because their request will never even reach the RbPi server). But in general, the widespread effectiveness of such an attack is reduced.
---
Easy method to perform MITM attack on any Raspberry Pi user who is not a security expert:
1. Perform an MITM attack whenever your victim(s) try to do an apt-get update or apt-get upgrade. They will get errors saying hash sum failed, etc.
(this happened to me)
2. They will google something like "raspberry pi hash sum failed"
3. They will click on the first google search result:
https://www.raspberrypi.org/forums/v...p?f=28&t=65062 (up to 2780 people owned)
4. Someone on the RaspberryPi forum (conveniently with 1 post), helpfully tells your victim(s) to update your GPG key using an insecure HTTP request.
5. They update their GPG key via HTTP and you of course MITM attack the HTTP request, and give them your fake GPG key.
6. They "successfully" update and upgrade
You own their Raspberry Pi.
===
Now that Raspberry Pi's infrastructure makes the attack so easy, and the bad advice is already in various places on the internet, the attacker's job has only 2 steps:
1. MITM the user's apt-get update and apt-get upgrade requests
2. MITM attack the GPG key request
===
Further MITM attack options on Raspberry Pi users
1. MITM attack the torrent files that are downloaded from raspberrypi.org via HTTP
2. MITM attack the zip files that are downloaded from raspberrypi.org via HTTP
(most users won't perform a hash sum check on the zip file, if it unzips, they will probably regard it as a success)
Other options would be to include a hash sum text file with the fake torrent, so they don't bother getting the hash from the HTTPS website.
Or for the zip HTTP download, nesting the compromised distro inside a zip file with a hash sum text file next to it.
===
More examples:
Raspberry Pi forum - error on update - wolfram key up to 1505 people owned
StackOverflow: apt-get-fails-with-raspberry-pi-although-ping-works up to 1956 people owned
====
Debian-Pi_Raspbian-ua-netinst GitHub Issue 64:
Fix insecure downloading of raspberrypi.org signing key