[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

HTTPS everywhere! (was: holes in secure apt)

* Christoph Anton Mitterer <calestyo@scientia.net>, 2014-06-12, 01:06:
- not really secure APT related: apt-listbugs
Not sure whether it uses https for getting bug infos...

$ grep -r /soap.cgi lib/
lib/debian/btssoap.rb:        @server="http://#{host}:#{port}/cgi-bin/soap.cgi";

bts(1) and reportbug(1) don't use HTTPS either, AFAICS.

I noticed that http://bugs.debian.org/ started redirecting to the HTTPS variant recently. But it's only a temporary redirect. Does it mean we can't rely that HTTPS for bugs.d.o will continue to exist in the future?

In general, I'd love to see all the d.o services that are currently available over HTTP to move to HTTPS, with permanent redirects and STS enabled.

but since Debian nowadays uses certs from GANDI,

I'm not quite happy about this either. I suppose it's a tradeoff between security and usability...

which we generally cannot trust,... this is probably moot anyway.

Last time I checked trust and security were not binary. :>

Jakub Wilk

Reply to: