Re: people.debian.org will move from ravel to paradis and become HTTPS only
On Sun, Jul 20, 2014, at 08:15, Wouter Verhelst wrote:
> Additionally, since debian.org uses DNSSEC, if you can somehow MITM
> people.debian.org then due to DANE you can MITM it for HTTP as well as
> HTTPS, so forcing HTTPS really doesn't gain you much.
But that implies that the attacker has access to private keys, and in
case you are so screwed. The possibility of stolen private keys should
not be argument for not implementing security.
> > There are lots of attack vectors. It's not a response to a single
> > attack being exploited in the wild.
> So name one?
Pervasive monitoring. Really we should introduce encryption
Ondřej Surý <email@example.com>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server