Debian mirrors and MITM

To: debian-security@lists.debian.org
Subject: Debian mirrors and MITM
From: Alfie John <alfiej@fastmail.fm>
Date: Fri, 30 May 2014 22:15:01 +1000
Message-id: <[🔎] 1401452101.25524.123263721.146F1AFF@webmail.messagingengine.com>
Reply-to: alfiej@fastmail.fm

Hi guys,

Taking a look at the Debian mirror list, I see none serving over HTTPS:

  https://www.debian.org/mirror/list

The public Debian mirrors seem like an obvious target for governments to
MITM. I know that the MD5s are also published, but unless you're
verifying them with third parties, what's stopping the MD5s being
compromised too?

Is there any compelling reason why the public Debian mirrors aren't
served over HTTPS? If there isn't any, then further to this, is there
any reason why not to mandate all public Debian mirrors HTTPS-only?

Alfie

-- 
  Alfie John
  alfiej@fastmail.fm

Reply to:

Follow-Ups:
- Re: Debian mirrors and MITM
  - From: Michael Stone <mstone@debian.org>
- Re: Debian mirrors and MITM
  - From: "Estelmann, Christian" <c.estelmann@gmx.net>
- Re: Debian mirrors and MITM
  - From: Joey Hess <joeyh@debian.org>
- Re: Debian mirrors and MITM
  - From: Paul Wise <pabs@debian.org>

Prev by Date: Re: CVE-2014-0196 and Debian 7
Next by Date: Re: Debian mirrors and MITM
Previous by thread: Re: CVE-2014-0196 and Debian 7
Next by thread: Re: Debian mirrors and MITM
Index(es):
- Date
- Thread