[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: HTTPS everywhere!

On Sun, 2014-06-22 at 10:52 +1000, Russell Stuart wrote: 
> The problem isn't that government security agencies can in all
> likelihood MITM any connection they wish.  I'm sure that's true, but I'm
> equally sure they don't do it that often for fear of being caught.  It's
> actually far worse than that.  The problem is where I live every school,
> most government organisations, and many private organisations routinely
> MITM https connections passing through their infrastructure.

I do not quite see how you should actually catch them, especially when
they only selectively attack certain users.

> Given that is so, I am struggling to understand what you hope to achieve
> by setting up yet another CA.  You are operating over the same
> infrastructure, with all it's problems.
Well as it should be clear to everyone by now... with a own CA and with
specifically checking for certs issued by *only that* CA you can fully
secure things like apt-listbugs.

And you could fully secure any web connection to debian.org/net,...
either users would have at least the chance to do it (by distrusting all
other CAs, checking the issuing CA manually or assisted by using
something like Certificate Patrol).
With an external CA you cannot do any of this.

Actually one could even go a step further,... IIRC, some domain/CA
combinations are hardcoded in browsers like Chrome/Firefox... if that
infrastructure is already in place, we could probably easily add a patch
so that our debian.org/net are only accepted with certs from the "Debian

> There is one easy way to tighten things up.  Currently, if a Debian user
> wants a netinst the best option we offer him is to use
> https://www.debian.org/CD/netinst/ and rely on the X.509 PKI to ensure
> he is getting the real McCoy.  That makes the download step the weakest
> link in the chain, because if I can substitute that netinst for one that
> includes my keys in the keyring package, I own him.  And given the state
> of X.509 PKI, substituting it is relatively easy.
Don't understand what you talk about... AFAICS you can't download any
netinst images via https at all.

Obviously you always have the problem of the origin of trust:
If you download a Debian image from a https server (regardless of having
a commerical CA certificate or one from a "Debian CA")... you still must
trust your current OS to verify and download correctly.
And the same is true when you verify via OpenPGP.

Anyway... my point in complaining about GANDI wasn't how we securely
deal installation images to users,... it was about giving better
security to the services we (especially DDs and admins) use on a daily


Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply to: