[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SSL for debian.org/security?

For apt-get a self-signed certificate could be used which comes together
with Debian. No CA required. This is both simpler and safer.

Vipul Agarwal:
> How about if we use a SSL certificate signed by debian's own root CA which
> can be shipped with the distros? This will eliminate the paranoia about NSA
> having control over the existing CA especially the one based in the States.
> 
> -Vipul
> On Oct 29, 2013 4:18 AM, "Volker Birk" <vb@pibit.ch> wrote:
> 
>> On Mon, Oct 28, 2013 at 09:31:35PM -0400, Mark Haase wrote:
>>> It's a bit ironic that the Debian security site doesn't offer SSL, right?
>>> If an attacker can MITM an organization that uses Debian, then they can
>>> MITM the Debian security page and control what security bulletins that
>>> organization can access.
>>
>> BTW: if the NSA take one single trusted CA (and they did for sure),
>> HTTPS is b0rken for each site.
>>
>> Yours,
>> VB.
>> --
>> Volker Birk
>> Oberer Graben 4, 8400 Winterthur, Schweiz
>> mailto:vb@dingens.org  http://fdik.org
>>
>
Reply to: