[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SSL for debian.org/security?

On Wed, 30 Oct 2013 09:59:39 +0000
adrelanos <adrelanos@riseup.net> wrote:

> For apt-get a self-signed certificate could be used which comes together
> with Debian. No CA required. This is both simpler and safer.

Maybe I'm missing something, but the security of the apt system has
nothing to do with SSL - it uses GPG signatures. This discussion about
SSL concerns the website, etc.

> Vipul Agarwal:
> > How about if we use a SSL certificate signed by debian's own root CA which
> > can be shipped with the distros? This will eliminate the paranoia about NSA
> > having control over the existing CA especially the one based in the States.
> > 
> > -Vipul
> > On Oct 29, 2013 4:18 AM, "Volker Birk" <vb@pibit.ch> wrote:
> > 
> >> On Mon, Oct 28, 2013 at 09:31:35PM -0400, Mark Haase wrote:
> >>> It's a bit ironic that the Debian security site doesn't offer SSL, right?
> >>> If an attacker can MITM an organization that uses Debian, then they can
> >>> MITM the Debian security page and control what security bulletins that
> >>> organization can access.
> >>
> >> BTW: if the NSA take one single trusted CA (and they did for sure),
> >> HTTPS is b0rken for each site.
> >>
> >> Yours,
> >> VB.
> >> --
> >> Volker Birk

Celejar
Reply to: