[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Debian Users Can't Get/View Integrity / File-Signing GPG Pubkey Over HTTPS/HKPS Encrypted Connection


isn't it amazing & SAD that currently DEBIAN USERs CANNOT OBTAIN ANY hash/integrity CODE/file, or signature/sign code/file for CD-DVD ISO file, or the file-signing GPG pubkey file, OVER/THRU a (HTTPS/HKPS) ENCRYPTED connection ? !!! (from the primary domain/server "debian.org" or "www.debian.org" website, or from "keyring.debian.org") !  do you not notice it !!! ?

in https://www.debian.org/CD/verify webpage: (1a) please Show+Enable HTTPS based link to "keyring.debian.org" subdomain keyserver, and enable HKPS based GPG KeyServer & display correct HKPS based link on "keyring.debian.org" webpage, or (1b) Allow Single GPG PUBKEY File Download (which is including all file-signing pubkeys), Over (HTTPS) ENCRYPTED CONNECTION, from that "verify" webpage.  And (2) display CD/DVD ISO-file's HASH/CheckSUMS INTEGRITY codes/files (and "SIGN" & "Signature"" files) over HTTPS webpage, under that "debian.org/CD/" sub-folder for last+stable debian release, (and also allow HTTPS based "*.bittorrent" index-file download).

in the https://keyring.debian.org/ webpage, also show this, example command-line:
gpg2 —keyserver hkps://keyring.debian.org:443 —recv-keys 0x42468F4009EA8AC3

If above steps are done, only then very-large sized (few GIGABYTES sized) ISO-file's can be delivered to users, or users can obtain, over non-encrypted HTTP or FTP etc open & non-encrypted connection.  In fact, all users should be forced to download large-sized ISO CD/DVD files over HTTP based Non-Encrypted connection (by using URL-REDIRECTING mechanism in "cdimage.debian.org" subdomain web-server side), ONLY WHEN INTEGRITY CODEs, SIGN Codes & GPG/PGP PUBKEY etc TINY files are downloadable over direct (HTTPS/HKPS) ENCRYPTED & VERIFIED CONNECTION.  But now you've kept all files over HTTP ! :(  none of the TINY integrity files are downloadable over HTTTPS ENCRYPTED connection/TRANSFER !!! :(

CD/DVD image ISO file's GPG-SIGNATURE (sig) FILE or SHAnnnSUMS INTEGRITY FILES (or FILE-SIGNING GPG Pubkey file, or file's integrity/hash code SIGNING "SIGN" file) etc, all of these files are very very TINY SIZED FILES (few KILOBYTES only), compared to the VERY large (gigabytes) sized main file, the ISO CD/DVD image files).  So AT-LEAST sig/sign file + Sums/Hash integrity code files, need to be shared with all users (from "https://cdimage.debian.org" or https://www.debian.org/CD/ website) over HTTPS Encrypted connection/transfer.  Currently the "cdimage.debian.org" sub-domain server does not support HTTPS connections & so none of the tiny files are downloadable over HTTPS ENCRYPTED connection !!!

if those tiny files are downlaodable over HTTPS encrypted connection, then users can match/compare, "codes" obtained (over secure HTTPS/HKPS Encrypted connection) from SUMS/hash integrity file, with the calculated hash code of the downloaded ISO file, (or by using a GPG tool, user can verify the authenticity of downloaded ISO file, by using securely downloaded signature file).

since "Debian.org" website is now already DNSSEC signed by it's own developers :)  and website's used TLS/SSL cert is also defined+declared in TLSA/DANE dns record :)  so all HTTPS webpage INFO from primary website ("https://www.debian.org/") are already (SSL/TLS CA, and, DANE DNSSEC), double channel (aka, double TA) verified.  Users can very easily see indication (for free or almost at no-cost) of this double-verification, if they use https://www.dnssec-validator.cz/ addon in (firefox/IE/safari/chrome) web-browser, etc, AND, if a local full dnssec supported dns-resolver, (like "unbound" from https://www.unbound.net/ is used).

please MENTION about these two or similar (DNSSEC-Validator, Unbound) APP, IN THAT primary domain "verify" WEBPAGE, so that all users+people can know there are OTHER existing & alternative & trustworthy ways, to verify/authenticate,  And "debian.org" website & it's Devs have already implemented+using them.   Unless you mention about "DNSSEC" in that "verify" webpage, how else would people/users know about using this alternative ? !!!  don't assume every1 is traveling around the world & meeting correct people all the time, & know all kinds of (correct or alternative) ways.

please allow your/debian users to enjoy & utilize this double-verification, for getting tiny file-integrity (sums/hash) code files, over HTTPS based encrypted connection from a DNSSEC signed & DANE authenticated website.

Please fix these issues, and update your website. Thank you.

I'm also posting, a similar (not exactly same) request, in Debian-CD Mailing-list, as it requires attention from packagers & devs working on CDs/DVDs, to place & show the integrity-files into primary domain (along with showing in "cdimage" subdomain).  Also posting a similar (not exactly same) request in Debian-www Mailing-list, as it requires them to update SSL cert for the "keyring" & "cdimage" subdomain & update the "verify" webpage.  Keeping Debian-Security Mailing-list discussion in detail, here, as it involves Debian installer & related file's integrity & Debian webserver's data TRANSFER security.

-- Erik.

Reply to: