[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: people.debian.org will move from ravel to paradis and become HTTPS only

Op zaterdag 19 juli 2014 22:54:47 schreef u:
> ]] Wouter Verhelst
> > Op zondag 13 juli 2014 22:13:10 schreef Martin Zobel-Helas:
> > > Furthermore, we will change the people.debian.org web-service such that
> > > only HTTPS connections will be supported (unencrypted requests will be
> > > redirected).
> > 
> > Why?
> 
> Because the world is a nastier place than it used to be.  It's like the
> move from telnet to SSH many moons ago, all protocols ought to be
> encrypted today.

Well, I disagree with that.

With telnet vs SSH, the move was necessary because telnet would send
passwords in the clear, and because telnet is mostly a control interface
rather than anything else.

With HTTP vs HTTPS, the move can be necessary (many control interfaces
these days are written in HTTP server-side code, and then using plain
HTTP is a bad idea), but I doubt the majority of uses for
people.debian.org is anything but downloading static files these days.

It's good to make HTTPS the default, which if you must you can do
(amongst other things) by way of HSTS. However, I fail to see why we
should make HTTP impossible for those cases where it's needed.

> > Please note that there remain cases where accessing HTTPS is difficult
> > or impossible. One of these (but by no means the only one) is the
> > current release of debian-installer: the wget implementation inside
> > stable d-i does not support https, so downloading files from people.d.o
> > (e.g., for preseeding) will become impossible if this is implemented as
> > stated.
> 
> Hopefully you're not preseeding from a HTTP source, since that means
> you're quite vulnerable to trivial MITM attacks

True, but debian-installer simply does not support any signed/encrypted
preseeding.

Additionally, since debian.org uses DNSSEC, if you can somehow MITM
people.debian.org then due to DANE you can MITM it for HTTP as well as
HTTPS, so forcing HTTPS really doesn't gain you much.

> unless you do extra checking against checksums (something d-i doesn't
> support, AFAIK).

Also true.

Granted, these are probably bugs, and IIRC Colin was working on
providing HTTPS support for jessie. Still, I while I support enabling
HTTPS for people.d.o, I think disabling HTTP is overdoing it.

> > Is there an actual attack vector that we're trying to protect against
> > which requires us to disable plain HTTP, or is this just yet another
> > instance of the bogus "HTTP is obsolete" idea?
> 
> There are lots of attack vectors.  It's not a response to a single
> attack being exploited in the wild.

So name one?

-- 
It is easy to love a country that is famous for chocolate and beer

  -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26
Reply to: