HTTPS everywhere! (was: holes in secure apt)

To: debian-devel@lists.debian.org
Subject: HTTPS everywhere! (was: holes in secure apt)
From: Jakub Wilk <jwilk@debian.org>
Date: Thu, 12 Jun 2014 10:56:09 +0200
Message-id: <[🔎] 20140612085609.GA3826@jwilk.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 1402527988.4739.34.camel@heisenberg.scientia.net>
References: <[🔎] 1402527988.4739.34.camel@heisenberg.scientia.net>

* Christoph Anton Mitterer <calestyo@scientia.net>, 2014-06-12, 01:06:

- not really secure APT related: apt-listbugs
Not sure whether it uses https for getting bug infos...


$ grep -r /soap.cgi lib/
lib/debian/btssoap.rb:        @server="http://#{host}:#{port}/cgi-bin/soap.cgi";

bts(1) and reportbug(1) don't use HTTPS either, AFAICS.

I noticed that http://bugs.debian.org/ started redirecting to the HTTPSvariant recently. But it's only a temporary redirect. Does it mean wecan't rely that HTTPS for bugs.d.o will continue to exist in the future?

In general, I'd love to see all the d.o services that are currentlyavailable over HTTP to move to HTTPS, with permanent redirects andSTS enabled.

but since Debian nowadays uses certs from GANDI,

I'm not quite happy about this either. I suppose it's a tradeoff betweensecurity and usability...

which we generally cannot trust,... this is probably moot anyway.


Last time I checked trust and security were not binary. :>

--
Jakub Wilk

Reply to:

Follow-Ups:
- Re: HTTPS everywhere! (was: holes in secure apt)
  - From: Christoph Anton Mitterer <calestyo@scientia.net>

References:
- holes in secure apt
  - From: Christoph Anton Mitterer <calestyo@scientia.net>

Prev by Date: Re: holes in secure apt
Next by Date: Bug#751378: ITP: openlibm -- standalone implementation of C mathematical functions
Previous by thread: Re: holes in secure apt
Next by thread: Re: HTTPS everywhere! (was: holes in secure apt)
Index(es):
- Date
- Thread