Re: Debian mirrors and MITM

To: debian-security@lists.debian.org
Subject: Re: Debian mirrors and MITM
From: Michael Stone <mstone@debian.org>
Date: Fri, 30 May 2014 18:42:13 -0400
Message-id: <[🔎] 8bcb9ec8-e84b-11e3-9d19-00163eeb5320@msgid.mathom.us>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 5388DF73.8010004@rail.eu.org>
References: <[🔎] 1401452101.25524.123263721.146F1AFF@webmail.messagingengine.com> <[🔎] 20140530193013.GA20679@kitenet.net> <[🔎] 5388DF73.8010004@rail.eu.org>

On Fri, May 30, 2014 at 09:43:47PM +0200, Erwan David wrote:

Note that at least debian.org DNS is segned by DNSSEC and DANE is used,
which allows to check that the certificate used by a debian.org site is
the real one.

We're not at the point where that can be relied on in the real world.There are still resolvers that filter out DNSSEC records. (Sad, buttrue.)


Mike Stone

Reply to:

References:
- Debian mirrors and MITM
  - From: Alfie John <alfiej@fastmail.fm>
- Re: Debian mirrors and MITM
  - From: Joey Hess <joeyh@debian.org>
- Re: Debian mirrors and MITM
  - From: Erwan David <erwan@rail.eu.org>

Prev by Date: Re: Debian mirrors and MITM
Next by Date: Re: PPA security (was: Debian mirrors and MITM)
Previous by thread: Re: Debian mirrors and MITM
Next by thread: Re: Debian mirrors and MITM
Index(es):
- Date
- Thread