Re: Debian mirrors and MITM

To: alfiej@fastmail.fm,Alfie John <alfiej@fastmail.fm>,debian-security@lists.debian.org
Subject: Re: Debian mirrors and MITM
From: "Estelmann, Christian" <c.estelmann@gmx.net>
Date: Fri, 30 May 2014 15:03:14 +0200
Message-id: <[🔎] 5291f9a3-7d3a-46c2-a606-9eaff4ba4b56@email.android.com>
In-reply-to: <[🔎] 1401452101.25524.123263721.146F1AFF@webmail.messagingengine.com>
References: <[🔎] 1401452101.25524.123263721.146F1AFF@webmail.messagingengine.com>

In Oct 2013 a similar discussion startet
https://lists.debian.org/debian-security/2013/10/msg00027.html

On 30. Mai 2014 14:15:01 MESZ, Alfie John <alfiej@fastmail.fm> wrote:
>Hi guys,
>
>Taking a look at the Debian mirror list, I see none serving over HTTPS:
>
>  https://www.debian.org/mirror/list
>
>The public Debian mirrors seem like an obvious target for governments
>to
>MITM. I know that the MD5s are also published, but unless you're
>verifying them with third parties, what's stopping the MD5s being
>compromised too?
>
>Is there any compelling reason why the public Debian mirrors aren't
>served over HTTPS? If there isn't any, then further to this, is there
>any reason why not to mandate all public Debian mirrors HTTPS-only?
>
>Alfie

Reply to:

Follow-Ups:
- Re: Debian mirrors and MITM
  - From: Alfie John <alfiej@fastmail.fm>

References:
- Debian mirrors and MITM
  - From: Alfie John <alfiej@fastmail.fm>

Prev by Date: Re: Debian mirrors and MITM
Next by Date: Re: Debian mirrors and MITM
Previous by thread: Re: Debian mirrors and MITM
Next by thread: Re: Debian mirrors and MITM
Index(es):
- Date
- Thread