Bug#873122: HTTP Link to Keyring

To: 873122@bugs.debian.org
Subject: Bug#873122: HTTP Link to Keyring
From: Phil <philipw@riseup.net>
Date: Thu, 24 Aug 2017 21:37:21 +0100
Message-id: <[🔎] 1503607041.1788.4.camel@riseup.net>
Reply-to: Phil <philipw@riseup.net>, 873122@bugs.debian.org
In-reply-to: <[🔎] 1503606480.1788.1.camel@riseup.net>
References: <[🔎] 20170824195359.7626c3ca@pc1> <[🔎] 1503606480.1788.1.camel@riseup.net> <[🔎] 20170824195359.7626c3ca@pc1>

Package: www.debian.org
Severity: normal
Tags: patch

I'm attaching the original wml file + patches to change http to https.

I wanted to rename them version 1.5 /1.6 etc but didn't want to put an
extra dot. Do let me know what's good practice as this is just my
second patch submitted.

On Thu, 24 Aug 2017 21:28:00 +0100 Phil <philipw@riseup.net> wrote:
> Hi Hanno,
> 
> Thank you very much for bringing this to our attention.
> 
> I'll submit a patch shortly for approval to get this amended.
> 
> Please do let us know if you spot anything else!
> 
> Phil
> 
> On Thu, 24 Aug 2017 19:53:59 +0200 Hanno =?UTF-8?B?QsO2Y2s=?= <hanno@
hb
> oeck.de> wrote:
> > Package: www.debian.org
> > 
> > When downloading a Debian CD there's a webpage explaining how to
> verify
> > signatures:
> > https://www.debian.org/CD/verify
> > 
> > This recommends to check the signatures with the keys from the
Debian
> > GPG keyring. However that link is HTTP, pointing to:
> > http://keyring.debian.org/
> > 
> > It will immediately redirect to HTTPS, but an attacker could
> intercept
> > that redirection and present a user with a malicious keyring
instead.
> > 
> > This makes the verification kinda pointless, as the keyring is
> > delivered over a potentially insecure channel. The lack of HSTS on
> > debian.org makes this particularly worriesome. Please change that
> link
> > to HTTPS.
> > 
> > 
> -- 
> Phil
> 
> 
-- 
Phil

#use wml::debian::cdimage title="Verifying authenticity of Debian CDs" BARETITLE=true

<p>
Official releases of Debian CDs come with signed checksum files;
look for them alongside the images in the <code>iso-cd</code>,
<code>jigdo-dvd</code>, <code>iso-hybrid</code> etc. directories.
These allow you to check that the images you download are correct.
First of all, the checksum can be used to check that the CDs have not
been corrupted during download.
Secondly, the signatures on the checksum files allow you to confirm
that the files are the ones officially released by the Debian CD /
Debian Live team and have not been tampered with.
</p>

<p>
To validate the contents of a CD image, just be sure to use the
appropriate checksum tool.
Cryptographically strong checksum
algorithms (SHA256 and SHA512) are available for every releases; you should use the tools
<code>sha256sum</code> or <code>sha512sum</code> to work with these.
</p>

<p>
To ensure that the checksums files themselves are correct, use GnuPG to
verify them against the accompanying signature files (e.g.
<code>SHA512SUMS.sign</code>).
The keys used for these signatures are all in the <a
href="https://keyring.debian.org";>Debian GPG keyring</a> and the best
way to check them is to use that keyring to validate via the web of
trust.
To make life easier for users, here are the fingerprints for the keys
that have been used for releases in recent years:
</p>

#include "$(ENGLISHDIR)/CD/CD-keys.data"

--- verify_v15.wml	2017-08-24 21:29:56.068732095 +0100
+++ verify_v16.wml	2017-08-24 21:31:26.540391738 +0100
@@ -25,7 +25,7 @@
 verify them against the accompanying signature files (e.g.
 <code>SHA512SUMS.sign</code>).
 The keys used for these signatures are all in the <a
-href="http://keyring.debian.org";>Debian GPG keyring</a> and the best
+href="https://keyring.debian.org";>Debian GPG keyring</a> and the best
 way to check them is to use that keyring to validate via the web of
 trust.
 To make life easier for users, here are the fingerprints for the keys

#use wml::debian::cdimage title="Verifying authenticity of Debian CDs" BARETITLE=true

<p>
Official releases of Debian CDs come with signed checksum files;
look for them alongside the images in the <code>iso-cd</code>,
<code>jigdo-dvd</code>, <code>iso-hybrid</code> etc. directories.
These allow you to check that the images you download are correct.
First of all, the checksum can be used to check that the CDs have not
been corrupted during download.
Secondly, the signatures on the checksum files allow you to confirm
that the files are the ones officially released by the Debian CD /
Debian Live team and have not been tampered with.
</p>

<p>
To validate the contents of a CD image, just be sure to use the
appropriate checksum tool.
Cryptographically strong checksum
algorithms (SHA256 and SHA512) are available for every releases; you should use the tools
<code>sha256sum</code> or <code>sha512sum</code> to work with these.
</p>

<p>
To ensure that the checksums files themselves are correct, use GnuPG to
verify them against the accompanying signature files (e.g.
<code>SHA512SUMS.sign</code>).
The keys used for these signatures are all in the <a
href="http://keyring.debian.org";>Debian GPG keyring</a> and the best
way to check them is to use that keyring to validate via the web of
trust.
To make life easier for users, here are the fingerprints for the keys
that have been used for releases in recent years:
</p>

#include "$(ENGLISHDIR)/CD/CD-keys.data"

Reply to:

References:
- Bug#873122: HTTP Link to Keyring
  - From: Hanno Böck <hanno@hboeck.de>
- Bug#873122: HTTP Link to Keyring
  - From: Phil <philipw@riseup.net>

Prev by Date: Bug#873122: HTTP Link to Keyring
Next by Date: Bug#873122: HTTP Link to Keyring
Previous by thread: Bug#873122: HTTP Link to Keyring
Next by thread: Bug#873122: HTTP Link to Keyring
Index(es):
- Date
- Thread