Bug#873122: HTTP Link to Keyring

To: submit@bugs.debian.org
Subject: Bug#873122: HTTP Link to Keyring
From: Hanno Böck <hanno@hboeck.de>
Date: Thu, 24 Aug 2017 19:53:59 +0200
Message-id: <[🔎] 20170824195359.7626c3ca@pc1>
Reply-to: Hanno Böck <hanno@hboeck.de>, 873122@bugs.debian.org

Package: www.debian.org

When downloading a Debian CD there's a webpage explaining how to verify
signatures:
https://www.debian.org/CD/verify

This recommends to check the signatures with the keys from the Debian
GPG keyring. However that link is HTTP, pointing to:
http://keyring.debian.org/

It will immediately redirect to HTTPS, but an attacker could intercept
that redirection and present a user with a malicious keyring instead.

This makes the verification kinda pointless, as the keyring is
delivered over a potentially insecure channel. The lack of HSTS on
debian.org makes this particularly worriesome. Please change that link
to HTTPS.

Reply to:

Follow-Ups:
- Bug#873122: HTTP Link to Keyring
  - From: Phil <philipw@riseup.net>
- Bug#873122: marked as done (HTTP Link to Keyring)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Re: Bug#873122: HTTP Link to Keyring
  - From: Andreas Ronnquist <mailinglists@gusnan.se>

Prev by Date: seems ...
Next by Date: Teach Your Website Visitors How To Say 'Arista' Correctly!
Previous by thread: Re: seems ...
Next by thread: Bug#873122: HTTP Link to Keyring
Index(es):
- Date
- Thread