Bug#725092: HTTPS should be supported on www.debian.org

To: 725092@bugs.debian.org, Gerfried Fuchs <rhonda@deb.at>
Subject: Bug#725092: HTTPS should be supported on www.debian.org
From: Milan Kral <milan.kral@azet.sk>
Date: Mon, 17 Mar 2014 11:36:48 +0100
Message-id: <[🔎] 5326D040.9000903@azet.sk>
Reply-to: Milan Kral <milan.kral@azet.sk>, 725092@bugs.debian.org
In-reply-to: <20131023122906.13709.77535@mail-fe-13.e.etech.sk>
References: <20131001113405.15860.76917@mail-fe-09.e.etech.sk> <20131001115928.GA5326@anguilla.debian.or.at> <20131001122653.345.83716@mail-fe-06.e.etech.sk> <20131023122906.13709.77535@mail-fe-13.e.etech.sk>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


Hi,
I see that HTTPS was enabled for www.debian.org

https://lists.debian.org/debian-www/2014/02/msg00041.html

Could you please also set HSTS (HTTP Strict Transport Security) for
www.debian.org ?
HSTS will help to protect users from SSL-stripping attacks. This can be
done on Apache using:

# load module (example using [RHEL])
LoadModule headers_module modules/mod_headers.so
 
<VirtualHost 10.0.0.1:443>
      # Use HTTP Strict Transport Security to force client to use secure
connections only
      Header always set Strict-Transport-Security "max-age=31536000;
includeSubDomains"
</VirtualHost>

Please consider also getting a SSL certificate for your subdomain
search.debian.org.



There is a very good talk from Adam Langley (the engineer behind
Google’s HTTPS serving infrastructure and Google Chrome’s network stack)
about securing web sited with HTTPS:

HOPE number 9 (2012) | 2600 - The State of HTTPS
https://www.youtube.com/watch?v=LBbCec4Bp10


Milan

On 23.10.2013 14:29, Milan Kral wrote:
> It would useful to have HTTPS because of the wide spread mass surveillance
>
https://en.wikipedia.org/wiki/2013_mass_surveillance_disclosures#.22Mastering_the_Internet.22
> https://en.wikipedia.org/wiki/Bullrun_%28code_name%29
>
>> ** Tue, 01 Oct 2013 14:26:53 +0200 - 725092@bugs.debian.org,
"Gerfried Fuchs" <rhonda@deb.at> **
>>
>> HTTPS makes MiTM attacks harder. There is important information
>> on www.debian.org which should be protected against modification.
>> For example GPG fingerprints:   http://www.debian.org/CD/verify
>>
>> Of course GPG keys should be checked using Web of Trust, but
>> HTTPS could be the first layer of protection. From the user
>> point of view it's automatic and transparent.
>>
>> keyring.debian.org doesn't support HTTPS ...
>>
>>
>>> ** Tue, 1 Oct 2013 13:59:28 +0200 - 725092@bugs.debian.org,
"Gerfried Fuchs" <rhonda@deb.at> **
>>>
>>> * milan.kral <milan.kral@azet.sk> [2013-10-01 13:34:05 CEST]:
>>>> www.debian.org is important main Debian web page, but it doesn't
>>>> support https. Could it be possible to enable HTTPS? For example
>>>> lists.debian.org, wiki.debian.org support HTTPS.
>>>
>>>  Because on lists.debian.org you have subscribe information, handing
>>> over email addresses that you might not want to get eavesdropped, and on
>>> wiki you have login information that you clearly don't want to have go
>>> unencrypted over the wire.
>>>
>>>  What information you consider exchanging with www.debian.org that you
>>> consider sensitive and needing https?  "Because we can" doesn't sound
>>> very convincing to me.  :)
>>>
>>>  Enjoy!
>>> Rhonda
>>> --
>>> Fühlst du dich mutlos, fass endlich Mut, los      |
>>> Fühlst du dich hilflos, geh raus und hilf, los    | Wir sind Helden
>>> Fühlst du dich machtlos, geh raus und mach, los   | 23.55: Alles auf
Anfang
>>> Fühlst du dich haltlos, such Halt und lass los    |

-----BEGIN PGP SIGNATURE-----

iQJ8BAEBCgBmBQJTJtBAXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxQUY0RDVDMjhBOEQ2RkM3RjEwOUI1MzQ5
QzIzRDIwRkJGNTk0NTFFAAoJEJwj0g+/WUUetWAP/24nyFhfeCCmOkfQS80nB7C9
TVn/mt+Cvw3Vxbd4puQd0S1/tCwqtUIgbABoPrw+ugiVPQlPHzKtS6x4pnf+4LQ0
l3FFW+gug2mlRJ1Rt0r8B+OWboWQntCuE6dU7yGSyIwtJGYPVDEMJ27a9+cFuFDn
1q7Q6kUIxNrV07nmc+i0h6JXDTPXsdJJPJ6h9tPXUBEotgPFkKQwhbiXKLfXf2FT
6qsaRGJxRpn/QDneF3J97viLtGS7Xnb3rzhfCENgO7ZMeBqKCsWvAxxHbjbuoPD5
Ev1x50gETqOd8UhLTQQ7jz3PW/qewSFG28VubaKQNPfHVy99/4ryKJ5g4+je0O6g
9NKy6Wk0gZ8L+jwW2uJghPOdYE5nJ9alNL+cY0EN6GdRv8aPi5dVC6krtC4Y4x9X
BIcb/ENTEzWkG2ZDaI/hvEUKzRZjR4mfV2jlR/Q5m2n95aSPOwQJ+rGTuZ6pyKLp
IrxJBSTnE8Ch9Nq/d7EvxAdTirWv1ZFlHvaJoRdnycMkecDNZHRrGl9v8AfKs8iW
nyUvNa9mm/gWth3RwlR4JZZUFHy7IcVJ6K92ZbhxWUU7HnIXMwUFBhfc0OB271rM
aPbwH87Fm0EYCXnmTPC9ykludCCdh70jurD7/1jauRo69ebnKtuYiGxQ0Qq517Ey
qHOqWLJhSgZzXditrcQc
=8Mer
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Bug#725092: HTTPS should be supported on www.debian.org
  - From: Paul Wise <pabs@debian.org>

Prev by Date: Re: Error on registration.
Next by Date: debiab bug
Previous by thread: Re: https://www.debian.org/intro/organization
Next by thread: Bug#725092: HTTPS should be supported on www.debian.org
Index(es):
- Date
- Thread