[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian mirrors and MITM

On Jul 3, 2014, at 12:25 PM, Hans-Christoph Steiner <hans@at.or.at> wrote:
> As for how to manage making HTTPS by default, this does not require every mirror buying HTTPS certificates every year from Certificate Authorities.  There are workable solutions based on self-signed certificates.
> In Android apps, there are two approaches that are gaining traction: including certificate pins based on the Subject Public Key Info (SPKI) in an apt in advance (https://www.imperialviolet.org/2011/05/04/pinning.html).  And using "Trust On First Use/Persistence of Pseudonym" aka "Memorizing Trust Manager" (https://github.com/ge0rg/MemorizingTrustManager) to do ssh-style trust with a yes/no prompt the first time.  These can also be optionally combined with the classic Certificate Authority, to provide a redundant check.
> We've been thinking about to make this workable, here are some notes:
> https://dev.guardianproject.info/projects/bazaar/wiki/Chained_TLS_Cert_Verification
> Or there could be a password-based CA-replacement like http://tack.io

Self-signed?  Really?

This is full of issues.  Just because someone spends time on an idea, doesn’t mean it’s a good one.

But this does trigger another idea; Debian could create their own CA for managing the project’s SSL infrastructure.  Then we would just need to trust the Debian CA.

Reply to: