Bug#722906: New users can't verify downloads correctly

To: submit@bugs.debian.org
Subject: Bug#722906: New users can't verify downloads correctly
From: Eduard - Gabriel Munteanu <edgmnt@gmail.com>
Date: Sat, 14 Sep 2013 15:17:50 +0300
Message-id: <[🔎] 20130914121750.GA3211@home>
Reply-to: Eduard - Gabriel Munteanu <edgmnt@gmail.com>, 722906@bugs.debian.org

Package: www.debian.org
Severity: important

The Debian website provides no reasonable way of verifying downloads in
absence of a solid web of trust. The checksums, keys and their
fingerprints aren't served over HTTPS, with the exception of
https://ftp-master.debian.org/keys.html but the chain of trust in that
case is unreasonably difficult to establish for the purpose of checking
CD images or other downloads.

Furthermore, http://www.debian.org/CD/verify encourages insecure ways of
checking fingerprints, which are posted on a plain HTTP page. There's
also no mention of ftp-master and how to use the archive keys to
establish a chain of trust.

It would be fair to expect a large proportion of users cannot or will
not be able to establish such a web of trust, especially if they're new
users. No matter how bad it is, the CA system is still better than
nothing and pretty much the only option for a lot of people, so for the
purpose of verifying an image and bootstrapping a chain of trust it
should do.

I suggest hosting all CD image checksums on an official HTTPS page and
updating http://www.debian.org/CD/verify accordingly. This makes it
really easy to check downloads, bootstraps the chain of trust with the
keys in the image and prevent minimally security-conscious users from
doing an insecure verfication or skipping it altogether. Furthermore,
it's *very* cheap.

In addition to that, consider hosting all keys or at least their
fingerprints on a HTTPS page. This can be an alternative to what I
suggested above regarding checksums, but I'd advise against doing only
that considering a lot of users just aren't familiar with PGP.

P.S: On a side note, I recently examined that aspect for a few other
major distros. Turns out Ubuntu also gets it wrong (not to mention they
still opt for MD5 checksums). Fedora and Gentoo do provide verifiable
keys/checksums (although in Gentoo's case official advice could be
better):

https://fedoraproject.org/verify
https://www.gentoo.org/proj/en/releng/

Reply to:

Follow-Ups:
- Bug#722906: New users can't verify downloads correctly
  - From: Don Armstrong <don@debian.org>
- Processed: Re: Bug#722906: New users can't verify downloads correctly
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Re: Account creation fails on wiki.debian.org
Next by Date: Bug#722906: New users can't verify downloads correctly
Previous by thread: Bug#652631: www.debian.org: please clarify the distinction between 'events@d.o' and 'debian-events-*@lists.d.o'
Next by thread: Bug#722906: New users can't verify downloads correctly
Index(es):
- Date
- Thread