Re: Debian mirrors and MITM

To: Hans-Christoph Steiner <hans@at.or.at>
Cc: debian-security@lists.debian.org
Subject: Re: Debian mirrors and MITM
From: Reid Sutherland <reid@vianet.ca>
Date: Thu, 3 Jul 2014 12:58:37 -0400
Message-id: <[🔎] 3D3DC714-4833-47C3-89AA-D42B14D223D2@vianet.ca>
In-reply-to: <[🔎] 53B588F5.7060606@at.or.at>
References: <1401452101.25524.123263721.146F1AFF@webmail.messagingengine.com> <bfad3c3a-e7f4-11e3-8753-00163eeb5320@msgid.mathom.us> <1401453836.31698.123277245.0BFA1590@webmail.messagingengine.com> <20140530131107.GA7435@roeckx.be> <87bnuf744x.fsf@muck.riseup.net> <[🔎] 476000FE-7A7D-4DAB-B344-A928EF9E3F02@at.or.at> <[🔎] e4cb4f22-02c8-11e4-904c-00163eeb5320@msgid.mathom.us> <[🔎] F3C70EC9-E2E9-48CA-87D9-7CE3F82967BB@at.or.at> <[🔎] CD4E3945-532A-4DAD-9CFA-4742DFDCF4A0@at.or.at> <[🔎] 8EB7DF12-C21B-4A86-A71E-79F4DC0E4003@vianet.ca> <[🔎] 53B588F5.7060606@at.or.at>

On Jul 3, 2014, at 12:46 PM, Hans-Christoph Steiner <hans@at.or.at> wrote:
> 
> SSH uses entirely unsigned keys, and it has proven a lot more reliable than
> HTTPS/TLS.  You use HTTPS/TLS keys the same way as SSH, but TLS requires
> signed keys, self-signed works.  The signatures are only worth the trust path
> behind them, and CAs have not proven to be reliable trust paths.  So if you
> can't rely on the signatures, why bother using them?  This is not just my
> opinion, but of many others.  Google uses SPKI pinning heavily, for example,
> but they still use CA-signed certificates so their HTTPS works with Firefox,
> IE, Opera, etc.
> 

SSH is hand verified when you connect initially (thus creating a “signature”).

Are you are going to hand-verify each signature / key?  And then against what?  Why not just verify the CD download once and be done with it?  If you are paranoid, build a trust relationship with a mirror that provides SSL and save their cert.

Anyway, I’m really over this.

Have a good day.

Reply to:

Follow-Ups:
- Re: Debian mirrors and MITM
  - From: Hans-Christoph Steiner <hans@at.or.at>

References:
- Re: Debian mirrors and MITM
  - From: Hans-Christoph Steiner <hans@at.or.at>
- Re: Debian mirrors and MITM
  - From: Michael Stone <mstone@debian.org>
- Re: Debian mirrors and MITM
  - From: Hans-Christoph Steiner <hans@at.or.at>
- Re: Debian mirrors and MITM
  - From: Hans-Christoph Steiner <hans@at.or.at>
- Re: Debian mirrors and MITM
  - From: Reid Sutherland <reid@vianet.ca>
- Re: Debian mirrors and MITM
  - From: Hans-Christoph Steiner <hans@at.or.at>

Prev by Date: Re: Debian mirrors and MITM
Next by Date: Re: Debian mirrors and MITM
Previous by thread: Re: Debian mirrors and MITM
Next by thread: Re: Debian mirrors and MITM
Index(es):
- Date
- Thread