Re: SSL for debian.org/security?

To: Volker Birk <vb@pibit.ch>
Cc: debian-security@lists.debian.org
Subject: Re: SSL for debian.org/security?
From: Vipul Agarwal <vipul@nuttygeeks.com>
Date: Wed, 30 Oct 2013 09:15:44 +0000
Message-id: <[🔎] CADK2VQyDDT4yKFwROAGc15m=6guL-bnOKBOMEk9NSiWWAAaHig@mail.gmail.com>
Reply-to: vipul@nuttygeeks.com
In-reply-to: <[🔎] 20131029041017.GA497@dingens.org>
References: <[🔎] CAAy1gkeUt_jr0uDt0B=HdnAZnmmHDqygrwgYg4dU7X9zjVUrSA@mail.gmail.com> <[🔎] 20131029041017.GA497@dingens.org>

How about if we use a SSL certificate signed by debian's own root CA which can be shipped with the distros? This will eliminate the paranoia about NSA having control over the existing CA especially the one based in the States.

-Vipul

On Oct 29, 2013 4:18 AM, "Volker Birk" <vb@pibit.ch> wrote:

On Mon, Oct 28, 2013 at 09:31:35PM -0400, Mark Haase wrote:
> It's a bit ironic that the Debian security site doesn't offer SSL, right?
> If an attacker can MITM an organization that uses Debian, then they can
> MITM the Debian security page and control what security bulletins that
> organization can access.

BTW: if the NSA take one single trusted CA (and they did for sure),
HTTPS is b0rken for each site.

Yours,
VB.
--
Volker Birk
Oberer Graben 4, 8400 Winterthur, Schweiz
mailto:vb@dingens.org http://fdik.org

Reply to:

Follow-Ups:
- Re: SSL for debian.org/security?
  - From: Volker Birk <vb@pibit.ch>
- Re: SSL for debian.org/security?
  - From: adrelanos <adrelanos@riseup.net>

References:
- SSL for debian.org/security?
  - From: Mark Haase <mark.haase@lunarline.com>
- Re: SSL for debian.org/security?
  - From: Volker Birk <vb@pibit.ch>

Prev by Date: Re: SSL for debian.org/security?
Next by Date: Re: SSL for debian.org/security?
Previous by thread: Re: SSL for debian.org/security?
Next by thread: Re: SSL for debian.org/security?
Index(es):
- Date
- Thread