[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: people.debian.org will move from ravel to paradis and become HTTPS only

]] Wouter Verhelst 

> Op zondag 13 juli 2014 22:13:10 schreef Martin Zobel-Helas:
> > Furthermore, we will change the people.debian.org web-service such that
> > only HTTPS connections will be supported (unencrypted requests will be
> > redirected).
> Why?

Because the world is a nastier place than it used to be.  It's like the
move from telnet to SSH many moons ago, all protocols ought to be
encrypted today.

> Please note that there remain cases where accessing HTTPS is difficult
> or impossible. One of these (but by no means the only one) is the
> current release of debian-installer: the wget implementation inside
> stable d-i does not support https, so downloading files from people.d.o
> (e.g., for preseeding) will become impossible if this is implemented as
> stated.

Hopefully you're not preseeding from a HTTP source, since that means
you're quite vulnerable to trivial MITM attacks unless you do extra
checking against checksums (something d-i doesn't support, AFAIK).

> Is there an actual attack vector that we're trying to protect against
> which requires us to disable plain HTTP, or is this just yet another
> instance of the bogus "HTTP is obsolete" idea?

There are lots of attack vectors.  It's not a response to a single
attack being exploited in the wild.

Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are

Reply to: