[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: people.debian.org will move from ravel to paradis and become HTTPS only

On Sun, 20 Jul 2014 10:45:10 +0200, Wouter Verhelst <w@uter.be> wrote:
>Op zondag 20 juli 2014 09:23:55 schreef u:
>> On Sun, Jul 20, 2014, at 08:15, Wouter Verhelst wrote:
>> > Additionally, since debian.org uses DNSSEC, if you can somehow MITM
>> > people.debian.org then due to DANE you can MITM it for HTTP as well as
>> > HTTPS, so forcing HTTPS really doesn't gain you much.
>> But that implies that the attacker has access to private keys, and in
>> this
>> case you are so screwed.
>My point exactly: if someone can somehow MITM people.debian.org they
>have access to private key material that they shouldn't have access to.

I might me missing something, and I admit not having read the entire
thread, but how would they have access to private key material?

_My_ GPG key has never been near people.debian.org, and I suspect that
key ring management would (rightfully!) promptly kick any public key
whose private key was found on p.d.o out of the keyring.

-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber         |   " Questions are the         | Mailadresse im Header
Mannheim, Germany  |     Beginning of Wisdom "     | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

Reply to: