[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: HTTPS everywhere! (was: holes in secure apt)

On Thu, 2014-06-12 at 10:56 +0200, Jakub Wilk wrote: 
> $ grep -r /soap.cgi lib/
> lib/debian/btssoap.rb:        @server="http://#{host}:#{port}/cgi-bin/soap.cgi";

> bts(1) and reportbug(1) don't use HTTPS either, AFAICS.

> I noticed that http://bugs.debian.org/ started redirecting to the HTTPS 
> variant recently. But it's only a temporary redirect.
Redirects generally don't protect you...

> In general, I'd love to see all the d.o services that are currently 
> available over HTTP to move to HTTPS, with permanent redirects and 
> STS enabled.
Yep :)

> >but since Debian nowadays uses certs from GANDI,
> I'm not quite happy about this either. I suppose it's a tradeoff between 
> security and usability...
Well... IMHO it's a bad trade of... Debian has had it's own CA... and
all users that got their Debian via some trusted path could have really
secure SSL/TLS with Debian...

Now we have GANDI, which makes Debian's certs 4th level certs... anyone
in the hierarchy above can forge any Debian certs... (not to talk about
the problem, that all clients usually trust gazillions of CAs and not
just the one we need)...

Debian should rather have continued with their own CA and place that
even in some country which doesn't have something like national security
letters and gag orders.

Supplying the Debian Root CA to people not using Debian could have been
easily done by a *single* site that uses a cert available in all
browsers... which offers the Debian Root CA for secure and "trusted"

> Last time I checked trust and security were not binary. :>
Well actually security *is* black and white... an attacker won't just
attack you a "little bit" if he sees a security hole...


Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply to: