Re: Debian mirrors and MITM
On Jul 3, 2014, at 12:46 PM, Hans-Christoph Steiner <firstname.lastname@example.org> wrote:
> SSH uses entirely unsigned keys, and it has proven a lot more reliable than
> HTTPS/TLS. You use HTTPS/TLS keys the same way as SSH, but TLS requires
> signed keys, self-signed works. The signatures are only worth the trust path
> behind them, and CAs have not proven to be reliable trust paths. So if you
> can't rely on the signatures, why bother using them? This is not just my
> opinion, but of many others. Google uses SPKI pinning heavily, for example,
> but they still use CA-signed certificates so their HTTPS works with Firefox,
> IE, Opera, etc.
SSH is hand verified when you connect initially (thus creating a “signature”).
Are you are going to hand-verify each signature / key? And then against what? Why not just verify the CD download once and be done with it? If you are paranoid, build a trust relationship with a mirror that provides SSL and save their cert.
Anyway, I’m really over this.
Have a good day.