[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Q: Use https for {deb,security}.debian.org by default



Jeremy Stanley <fungi@yuggoth.org> writes:

> I agree with all of the above, my point was that the current state of
> HTTPS doesn't especially improve integrity for Debian package management
> over the signed indices and checksums we already rely on, and trying to
> use HTTPS for privacy/secrecy (which isn't really what it was designed
> for) is still and perhaps even increasingly misguided. Of course lots of
> people will continue to expect magic HTTPS fairy dust to protect them
> and ward off evil, but the only legitimate reason I can see for Debian
> changing the default protocol for sources.list entries is to avoid
> having to pointlessly debate the minimal benefits of HTTPS with people
> who drink whatever cool-aid they're told by security "experts" (HTTP
> bad, HTTPS good, drink up!).

Do you think using HTTPS makes security worse?

No idea whether I qualify as a "security expert" but as someone who has
spent a fair amount of time working in security, my concern is making
advice simple enough for people to follow.  Complicated, conditional, or
inconsistent advice means you lose people who decide this is all too hard
to understand and just do nothing.

"Use HTTPS everywhere that supports it" is simple and actionable advice
for the average person that will make them more secure.  There are
applications and sites where HTTPS doesn't really help, but other than
some unusual performance edge cases that are pretty rare in practice, it
doesn't hurt.  It's not magic fairy dust, but it does raise the bar
against a set of attacks, provides some additional privacy against casual
non-targeted snooping, and is a better default than not using TLS.

Personally, I think we should switch our default to HTTPS not because we
have a specific security flaw in mind against which HTTPS provides some
protection but because it's consistent with the general message that a lot
of us (including, for example, the EFF and the IETF) are trying to send to
average users who don't have the expertise to analyze any of this: use TLS
by default wherever you can.  It's not a panacea, but ubiquitous, default
use of TLS helps both your security and your privacy compared to either
the previous default of no TLS or spending a bunch of mental energy
picking and choosing.

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>


Reply to: