Re: Debian mirrors and MITM
On Jul 3, 2014, at 12:25 PM, Hans-Christoph Steiner <hans@at.or.at> wrote:
> As for how to manage making HTTPS by default, this does not require every mirror buying HTTPS certificates every year from Certificate Authorities. There are workable solutions based on self-signed certificates.
>
> In Android apps, there are two approaches that are gaining traction: including certificate pins based on the Subject Public Key Info (SPKI) in an apt in advance (https://www.imperialviolet.org/2011/05/04/pinning.html). And using "Trust On First Use/Persistence of Pseudonym" aka "Memorizing Trust Manager" (https://github.com/ge0rg/MemorizingTrustManager) to do ssh-style trust with a yes/no prompt the first time. These can also be optionally combined with the classic Certificate Authority, to provide a redundant check.
>
> We've been thinking about to make this workable, here are some notes:
> https://dev.guardianproject.info/projects/bazaar/wiki/Chained_TLS_Cert_Verification
>
> Or there could be a password-based CA-replacement like http://tack.io
Self-signed? Really?
This is full of issues. Just because someone spends time on an idea, doesn’t mean it’s a good one.
But this does trigger another idea; Debian could create their own CA for managing the project’s SSL infrastructure. Then we would just need to trust the Debian CA.
Reply to: