Re: security-tracker now on https?
On Fri, May 17, 2013 10:50, Peter Palfrader wrote:
> On Fri, 17 May 2013, Thijs Kinkhorst wrote:
>
>> Hi dsa,
>>
>> On Thu, April 4, 2013 11:10, Thijs Kinkhorst wrote:
>> > Hi admins,
>> >
>> > It was noted that the security tracker now blanket redirects to
>> > https://security-tracker.debian.org. This is fine of course for us
>> DD's,
>> > but it presents a problem for externals using it. The tracker is often
>> > used by e.g. different distributions like RH and Gentoo, which may not
>> > have the SPI CA in their trust store by default and thus makes it
>> > inconvenient to them.
>> >
>> > We're not aware of any confidentiality sensitive information on that
>> web
>> > site so enforcing https here does not seem strictly necessary.
>> >
>> > Is it possible to revert this change?
>>
>> Did you get around to looking into this issue yet?
>
> It's still on our table. There appear to be no really good solutions to
> the ssl mafia mess.
>
> The "solution" I'm favouring right now is to get a single *.debian.org
> wildcard from the cartell and spread it far and wide.
It's a mess, indeed. There's also some SPI talk about this problem going on.
> This actually *reduces* security, but it will stop people from
> complaining. Win?
But for the security-tracker case, is there a need to be redirecting to
HTTPS at all? All information there is already public and no logins
happen.
Cheers,
Thijs
Reply to: