Re: HTTPS enabled Debian Security repository

To: Marek Sebera <marek.sebera@gmail.com>, debian-security@lists.debian.org
Subject: Re: HTTPS enabled Debian Security repository
From: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Date: Thu, 26 Oct 2017 20:19:46 +0200
Message-id: <[🔎] 1509040924@msgid.manchmal.in-ulm.de>
In-reply-to: <[🔎] CADyC1h0W5LkOkf-MOQdh6aXm9LeEr1kDL_YTDWFx-XD4rv7h+A@mail.gmail.com>
References: <[🔎] e93a57a8-8ab1-88fc-2e5b-fb3cd005038d@gmail.com> <[🔎] CADyC1h0W5LkOkf-MOQdh6aXm9LeEr1kDL_YTDWFx-XD4rv7h+A@mail.gmail.com>

林博仁 wrote...

> I believe that there's no benefit on accessing Debian archive with HTTPS as
> they uses GnuPG for authentication

GnuPG indeed serves the purposes of authenticity and integrity very
well. Modulo bugs every now and then, but they happen on other layers as
well.

Also, nobody should rely on the privacy in this case since the server
content is public and the clients have a fairly simple access pattern.
Decoding the transfers from this isn't trival but seems doable with some
effort - one day I'll write a prove of concept for this.

There is however a reason for https, a sad one though: Braindead
"security" applicances that do deep packet inspection and might reject
the download of packages.

    Christoph

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: HTTPS enabled Debian Security repository
  - From: Hans-Christoph Steiner <hans@at.or.at>

References:
- HTTPS enabled Debian Security repository
  - From: Marek Sebera <marek.sebera@gmail.com>
- Re: HTTPS enabled Debian Security repository
  - From: 林博仁 <buo.ren.lin@gmail.com>

Prev by Date: Re: HTTPS enabled Debian Security repository
Next by Date: Re: HTTPS enabled Debian Security repository
Previous by thread: Re: HTTPS enabled Debian Security repository
Next by thread: Re: HTTPS enabled Debian Security repository
Index(es):
- Date
- Thread