Re: people.debian.org will move from ravel to paradis and become HTTPS only
]] Wouter Verhelst
> Op zondag 13 juli 2014 22:13:10 schreef Martin Zobel-Helas:
> > Furthermore, we will change the people.debian.org web-service such that
> > only HTTPS connections will be supported (unencrypted requests will be
> > redirected).
>
> Why?
Because the world is a nastier place than it used to be. It's like the
move from telnet to SSH many moons ago, all protocols ought to be
encrypted today.
> Please note that there remain cases where accessing HTTPS is difficult
> or impossible. One of these (but by no means the only one) is the
> current release of debian-installer: the wget implementation inside
> stable d-i does not support https, so downloading files from people.d.o
> (e.g., for preseeding) will become impossible if this is implemented as
> stated.
Hopefully you're not preseeding from a HTTP source, since that means
you're quite vulnerable to trivial MITM attacks unless you do extra
checking against checksums (something d-i doesn't support, AFAIK).
> Is there an actual attack vector that we're trying to protect against
> which requires us to disable plain HTTP, or is this just yet another
> instance of the bogus "HTTP is obsolete" idea?
There are lots of attack vectors. It's not a response to a single
attack being exploited in the wild.
--
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are
Reply to: