Re: SSL for debian.org/security?

To: debian-security@lists.debian.org
Subject: Re: SSL for debian.org/security?
From: Norbert Kiszka <norbert@linux.pl>
Date: Wed, 30 Oct 2013 15:49:15 +0100
Message-id: <[🔎] 1383144555.23607.4.camel@rp1.business>
In-reply-to: <[🔎] 52710AD3.1000806@gmail.com>
References: <[🔎] CAAy1gkeUt_jr0uDt0B=HdnAZnmmHDqygrwgYg4dU7X9zjVUrSA@mail.gmail.com> <[🔎] 20131029041017.GA497@dingens.org> <[🔎] CADK2VQyDDT4yKFwROAGc15m=6guL-bnOKBOMEk9NSiWWAAaHig@mail.gmail.com> <[🔎] 5270D88B.5010208@riseup.net> <[🔎] 20131030075125.022d6d356fe495d58b1c0187@gmail.com> <[🔎] 5270FCC7.2030201@gmail.com> <[🔎] 20131030090519.edbed5df4568ec3e6f213a3d@gmail.com> <[🔎] 52710AD3.1000806@gmail.com>

Dnia 2013-10-30, śro o godzinie 11:34 -0200, Djones Boni pisze:
> On 30-10-2013 11:05, Celejar wrote:
> > You're snipping crucial context; my comment above was in response to
> > this:
> >> For apt-get a self-signed certificate could be used which comes together
> >> with Debian. No CA required. This is both simpler and safer.
> > I was pointing out that this comment makes no sense in the context of
> > apt-get. It sounds like you're referring to the website or email system.
> I am talking about updates.
> 
> Yes. Apt uses OpenPGP to verify the integrity and authenticity of the
> packages it downloads.
> But how does apt get these packages? Over insecure HTTP.
> 
> Hacking DNS or MITM attack can hide updates from you or a country. Then
> you are vulnerable due out-of-date software and you don't even know
> about it.
> 
> 


> and you don't even know
> about it.

Thats why I am on the debian-security@lists.debian.org

Reply to:

Follow-Ups:
- Re: SSL for debian.org/security?
  - From: Hans-Christoph Steiner <hans@at.or.at>

References:
- SSL for debian.org/security?
  - From: Mark Haase <mark.haase@lunarline.com>
- Re: SSL for debian.org/security?
  - From: Volker Birk <vb@pibit.ch>
- Re: SSL for debian.org/security?
  - From: Vipul Agarwal <vipul@nuttygeeks.com>
- Re: SSL for debian.org/security?
  - From: adrelanos <adrelanos@riseup.net>
- Re: SSL for debian.org/security?
  - From: Celejar <celejar@gmail.com>
- Re: SSL for debian.org/security?
  - From: Djones Boni <07ea86bb4e@gmail.com>
- Re: SSL for debian.org/security?
  - From: Celejar <celejar@gmail.com>
- Re: SSL for debian.org/security?
  - From: Djones Boni <07ea86bb4e@gmail.com>

Prev by Date: Re: SSL for debian.org/security?
Next by Date: Re: SSL for debian.org/security?
Previous by thread: Re: SSL for debian.org/security?
Next by thread: Re: SSL for debian.org/security?
Index(es):
- Date
- Thread