Bug#873122: HTTP Link to Keyring
Package: www.debian.org
When downloading a Debian CD there's a webpage explaining how to verify
signatures:
https://www.debian.org/CD/verify
This recommends to check the signatures with the keys from the Debian
GPG keyring. However that link is HTTP, pointing to:
http://keyring.debian.org/
It will immediately redirect to HTTPS, but an attacker could intercept
that redirection and present a user with a malicious keyring instead.
This makes the verification kinda pointless, as the keyring is
delivered over a potentially insecure channel. The lack of HSTS on
debian.org makes this particularly worriesome. Please change that link
to HTTPS.
Reply to: