Re: Debian mirrors and MITM
On Jul 3, 2014, at 12:25 PM, Hans-Christoph Steiner <firstname.lastname@example.org> wrote:
> As for how to manage making HTTPS by default, this does not require every mirror buying HTTPS certificates every year from Certificate Authorities. There are workable solutions based on self-signed certificates.
> In Android apps, there are two approaches that are gaining traction: including certificate pins based on the Subject Public Key Info (SPKI) in an apt in advance (https://www.imperialviolet.org/2011/05/04/pinning.html). And using "Trust On First Use/Persistence of Pseudonym" aka "Memorizing Trust Manager" (https://github.com/ge0rg/MemorizingTrustManager) to do ssh-style trust with a yes/no prompt the first time. These can also be optionally combined with the classic Certificate Authority, to provide a redundant check.
> We've been thinking about to make this workable, here are some notes:
> Or there could be a password-based CA-replacement like http://tack.io
This is full of issues. Just because someone spends time on an idea, doesn’t mean it’s a good one.
But this does trigger another idea; Debian could create their own CA for managing the project’s SSL infrastructure. Then we would just need to trust the Debian CA.