Re: Debian mirrors and MITM

To: debian-security@lists.debian.org
Subject: Re: Debian mirrors and MITM
From: Patrick Schleizer <adrelanos@riseup.net>
Date: Sat, 31 May 2014 10:50:03 +0000
Message-id: <[🔎] 5389B3DB.5020708@riseup.net>
In-reply-to: <[🔎] 20140531091020.GP20401@anguilla.noreply.org>
References: <[🔎] 1401452101.25524.123263721.146F1AFF@webmail.messagingengine.com> <[🔎] 20140530193013.GA20679@kitenet.net> <[🔎] 20140531091020.GP20401@anguilla.noreply.org>

Peter Palfrader:
> On Fri, 30 May 2014, Joey Hess wrote:
> 
>> Alfie John wrote:
>>> Taking a look at the Debian mirror list, I see none serving over HTTPS:
>>>
>>>   https://www.debian.org/mirror/list
>>
>> https://mirrors.kernel.org/debian is the only one I know of.
>>
>> It would be good to have a few more, because there are situations where
>> debootstrap is used without debian-archive-keyring being available, and
>> recent versions of debootstrap try to use https in that situation, to at
>> least get the weak CA level of security.
> 
> That doesn't buy you anything.  Mirrors, even if you trusted them, don't
> use authenticated syncing protocols.
> 

Looks like another issue worth fixing under the encrypt/authenticate all
the things credo.

Reply to:

References:
- Debian mirrors and MITM
  - From: Alfie John <alfiej@fastmail.fm>
- Re: Debian mirrors and MITM
  - From: Joey Hess <joeyh@debian.org>
- Re: Debian mirrors and MITM
  - From: Peter Palfrader <weasel@debian.org>

Prev by Date: Re: [SECURITY] [DSA 2939-1] chromium-browser security update
Next by Date: Re: Debian mirrors and MITM
Previous by thread: Re: Debian mirrors and MITM
Next by thread: Re: Debian mirrors and MITM
Index(es):
- Date
- Thread