Bug#873122: HTTP Link to Keyring

To: 873122@bugs.debian.org
Subject: Bug#873122: HTTP Link to Keyring
From: Phil <philipw@riseup.net>
Date: Thu, 24 Aug 2017 21:28:00 +0100
Message-id: <[🔎] 1503606480.1788.1.camel@riseup.net>
Reply-to: Phil <philipw@riseup.net>, 873122@bugs.debian.org
In-reply-to: <[🔎] 20170824195359.7626c3ca@pc1>
References: <[🔎] 20170824195359.7626c3ca@pc1> <[🔎] 20170824195359.7626c3ca@pc1>

Hi Hanno,

Thank you very much for bringing this to our attention.

I'll submit a patch shortly for approval to get this amended.

Please do let us know if you spot anything else!

Phil

On Thu, 24 Aug 2017 19:53:59 +0200 Hanno =?UTF-8?B?QsO2Y2s=?= <hanno@hb
oeck.de> wrote:
> Package: www.debian.org
> 
> When downloading a Debian CD there's a webpage explaining how to
verify
> signatures:
> https://www.debian.org/CD/verify
> 
> This recommends to check the signatures with the keys from the Debian
> GPG keyring. However that link is HTTP, pointing to:
> http://keyring.debian.org/
> 
> It will immediately redirect to HTTPS, but an attacker could
intercept
> that redirection and present a user with a malicious keyring instead.
> 
> This makes the verification kinda pointless, as the keyring is
> delivered over a potentially insecure channel. The lack of HSTS on
> debian.org makes this particularly worriesome. Please change that
link
> to HTTPS.
> 
> 
-- 
Phil

Reply to:

Follow-Ups:
- Bug#873122: HTTP Link to Keyring
  - From: Phil <philipw@riseup.net>
- Bug#873122: HTTP Link to Keyring
  - From: Phil <philipw@riseup.net>

References:
- Bug#873122: HTTP Link to Keyring
  - From: Hanno Böck <hanno@hboeck.de>

Prev by Date: Teach Your Website Visitors How To Say 'Arista' Correctly!
Next by Date: Bug#873122: HTTP Link to Keyring
Previous by thread: Bug#873122: HTTP Link to Keyring
Next by thread: Bug#873122: HTTP Link to Keyring
Index(es):
- Date
- Thread