[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: No port 443 (https) available at "security.debian.org"-repository

On Wed, Jul 26, 2017 at 07:01:36AM +0800, James Bromberger wrote:
> On 26/07/2017 6:20 AM, Adam Borowski wrote:
> > https provides no protection against targetted attacks by government agents. 
> > The CA cartel model consists of 400+ CAs, many of them outright controlled
> > by governments, most of the rest doing what they're told (no, warrants are
> > are a story for nice kids).  Clients in general trust _any_ CA, which means
> > you're only as secure as the worst CA.  Ie, https protects you against Joe
> > Script Kiddie but not against a capable opponent.
> Except there are new-ish ways to limit the scope from 400+ CAs to just
> the one you use.
> c.f.
> /Certification Authority Authorization/ (/CAA/) /DNS/ Resource
> https://tools.ietf.org/html/rfc6844
> ... if APT wishes to support this.

This one is meant to be used only by CAs.  And a rogue CA has no reason to
obey this request (especially if it _normally_ obeys it).

For users, the equivalent is TLSA, which allows both CA constraints and
specifying a fingerprint of the certificate itself.

⢀⣴⠾⠻⢶⣦⠀ What Would Jesus Do, MUD/MMORPG edition:
⣾⠁⢰⠒⠀⣿⡁ • multiplay with an admin char to benefit your mortal
⢿⡄⠘⠷⠚⠋⠀ • abuse item cloning bugs (the five fishes + two breads affair)
⠈⠳⣄⠀⠀⠀⠀ • use glitches to walk on water

Reply to: