[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: people.debian.org will move from ravel to paradis and become HTTPS only

On 20 July 2014 10:07, Wouter Verhelst <w@uter.be> wrote:
> With the state of the CA cartel these days, I have little
> trust in the strength of HTTPS as a verification mechanism, and so I
> wouldn't trust a file to be correct even if it came through an HTTPS
> connection that validates. Instead, I would only trust such a file if it
> came with a GPG signature from a key that is in the Debian keyring.

Good, because that's not what HTTPS does for you.  It makes it more
difficult to watch exactly what you're accessing.

Suppose for example I uploaded a preseed file to people.debian.org
that created a Tor relay, and a suitably large government agency
wanted to see all the IP addresses installing it.  With HTTP, they
just break into the internet backbone at an appropriate point, and log
every request for that file in a *completely undetectable manner*.
With HTTPS, they either need to break into the machine running
people.debian.org, or start presenting a different SSL certificate -
both things which can potentially be detected.

Another situation is if a dissident accesses people.debian.org via
Tor.  With HTTP, the operator of the exit node they are using could
MITM the request and tamper with the file - no state intervention
required.  If it's a web page, they could potentially attempt to
exploit the browser.

>> > Additionally, since debian.org uses DNSSEC, if you can somehow MITM
>> > people.debian.org then due to DANE you can MITM it for HTTP as well as
>> > HTTPS, so forcing HTTPS really doesn't gain you much.

In this scenario, you gain that if the adversary wants to see what
you're doing with your HTTPS connection, they need to do something
potentially noticable like change the SSL certificate being offered.

> Again, I support enabling HTTPS, and I support making it the default
> if possible. I just don't think disabling plain HTTP is a good idea.

Annoyingly, unless d-i supports SSL (or runs Tor), taking this very
sensible move is rather inconvenient.

Another potential use for plain HTTP would be if we installed a Tor
hidden service on paradis, and published the address in a GPG-signed
message.  You would avoid the CA cartel, and have some assurance of

Kind regards,

Tim Retout <diocles@debian.org>

Reply to: