On Thu, 24 Aug 2017 19:53:59 +0200,
Hanno Böck<hanno@hboeck.de> wrote:

>Package: www.debian.org
>
>When downloading a Debian CD there's a webpage explaining how to verify
>signatures:
>https://www.debian.org/CD/verify
>
>This recommends to check the signatures with the keys from the Debian
>GPG keyring. However that link is HTTP, pointing to:
>http://keyring.debian.org/
>
>It will immediately redirect to HTTPS, but an attacker could intercept
>that redirection and present a user with a malicious keyring instead.
>
>This makes the verification kinda pointless, as the keyring is
>delivered over a potentially insecure channel. The lack of HSTS on
>debian.org makes this particularly worriesome. Please change that link
>to HTTPS.
>

Thanks guys, this has been fixed in the CVS repository (including
translations) - It will be visible on the debian web pages when it has
been rebuilt (It rebuilds several times a day).

Thanks for your report!

-- Andreas Rönnquist
mailinglists@gusnan.se
gusnan@debian.org

Reply to:

References:
- Bug#873122: HTTP Link to Keyring
  - From: Hanno Böck <hanno@hboeck.de>

Prev by Date: Bug#873122: marked as done (HTTP Link to Keyring)
Next by Date: Mistake on Stretch errata webpage
Previous by thread: Bug#873122: marked as done (HTTP Link to Keyring)
Next by thread: Teach Your Website Visitors How To Say 'Arista' Correctly!
Index(es):
- Date
- Thread

Re: Bug#873122: HTTP Link to Keyring