Bug#873122: HTTP Link to Keyring
Hi Hanno,
Thank you very much for bringing this to our attention.
I'll submit a patch shortly for approval to get this amended.
Please do let us know if you spot anything else!
Phil
On Thu, 24 Aug 2017 19:53:59 +0200 Hanno =?UTF-8?B?QsO2Y2s=?= <hanno@hb
oeck.de> wrote:
> Package: www.debian.org
>
> When downloading a Debian CD there's a webpage explaining how to
verify
> signatures:
> https://www.debian.org/CD/verify
>
> This recommends to check the signatures with the keys from the Debian
> GPG keyring. However that link is HTTP, pointing to:
> http://keyring.debian.org/
>
> It will immediately redirect to HTTPS, but an attacker could
intercept
> that redirection and present a user with a malicious keyring instead.
>
> This makes the verification kinda pointless, as the keyring is
> delivered over a potentially insecure channel. The lack of HSTS on
> debian.org makes this particularly worriesome. Please change that
link
> to HTTPS.
>
>
--
Phil
Reply to: