Re: people.debian.org will move from ravel to paradis and become HTTPS only

[Wouter Verhelst <w@uter.be>]

Op zondag 20 juli 2014 11:38:13 schreef Marc Haber:
> On Sun, 20 Jul 2014 10:45:10 +0200, Wouter Verhelst <w@uter.be> wrote:
> >Op zondag 20 juli 2014 09:23:55 schreef u:
> >> On Sun, Jul 20, 2014, at 08:15, Wouter Verhelst wrote:
> >> > Additionally, since debian.org uses DNSSEC, if you can somehow MITM
> >> > people.debian.org then due to DANE you can MITM it for HTTP as well as
> >> > HTTPS, so forcing HTTPS really doesn't gain you much.
> >> 
> >> But that implies that the attacker has access to private keys, and in
> >> this
> >> case you are so screwed.
> >
> >My point exactly: if someone can somehow MITM people.debian.org they
> >have access to private key material that they shouldn't have access to.
> 
> I might me missing something, and I admit not having read the entire
> thread, but how would they have access to private key material?

Beyond GPG keys there are also DNSSEC private keys, SSL private keys,
and (to some extent) router administration passwords could also be
considered private keys.

-- 
It is easy to love a country that is famous for chocolate and beer

  -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26