It's a bit ironic that the Debian security site
doesn't offer SSL, right? If an attacker can MITM an
organization that uses Debian, then they can MITM the Debian
security page and control what security bulletins that
organization can access.
In the future, organizations may be running software that
automatically makes decisions about security policies based on
the SCAP content in files such as this. If an attacker can
MITM this automated security mechanism, then the attacker can
interfere with or blind the organization's automated security
tools.
I'd like to suggest that Debian should at least use SSL on
their security site, even if nowhere else.
Cheer,
--
Mark E. Haase
CISSP, CEH
Sr. Security Software Engineer
www.lunarline.com
3300 N Fairfax Drive, Suite 308, Arlington, VA 22201