Re: people.debian.org will move from ravel to paradis and become HTTPS only
At Sun, 20 Jul 2014 11:07:16 +0200,
Wouter Verhelst wrote:
> Even ignoring that, assuming people trust that code off
> people.debian.org is "safe", if they run a validating DNS resolver they
> don't run more of a risk than if they use only HTTPS.
I don't really follow that. A validating DNS resolver only makes sure
you connect to the right IP address. DANE can specifiy the certificate
to use for HTTPS, but you can't forward HTTP requests to HTTPS with
DANE as far as I know.
In the case of HTTP a MITM attack can send a fake response to the HTTP
request without the need for any key material/certificates or need to
fake DNSSEC. For HTTPS it would need to have a certificate for
people.debian.org that the client trusts.