Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates

To: 893980@bugs.debian.org
Cc: Martin Monperrus <martin.monperrus@gnieh.org>
Subject: Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates
From: Paul Wise <pabs@debian.org>
Date: Mon, 26 Mar 2018 21:52:45 +0800
Message-id: <[🔎] CAKTje6HdGKsWRzcu6abpsg+WNftKmrykZRAwLOEjTrD4F1XB1w@mail.gmail.com>
Reply-to: Paul Wise <pabs@debian.org>, 893980@bugs.debian.org
In-reply-to: <[🔎] 20180326133913.GA28430@anguilla.debian.or.at>
References: <[🔎] CAKTje6GtbCHjMjK--Wjwdqkmg6FCHZkn2gfMAELa3jhXpomxuA@mail.gmail.com> <[🔎] 152192743813.26308.17503969186490222484.reportbug@beethoven> <[🔎] 8fc734a2-8a98-34de-7b7b-41915204a152@gnieh.org> <[🔎] 20180326133913.GA28430@anguilla.debian.or.at> <[🔎] 152192743813.26308.17503969186490222484.reportbug@beethoven>

On Mon, Mar 26, 2018 at 9:39 PM, Rhonda D'Vine wrote:
> * Martin Monperrus:
>> Would it make sense to keep track of valid https support for the
>> secondary mirrors?
>
>  Actually the issue still holds: The mirror team needs to repoint
> mirrors to other servers at times and thus the certificate there
> wouldn't include those redirected mirrors.

The mirror team don't control the DNS for secondary mirrors. The
individual mirror admins could be doing that, but it seems unlikely to
me.

> I am aware that there is a privacy concern involved, like what packages
> get downloaded, but appart from that that's the only knowledge to gain
> from unencrypted http traffic.

https doesn't provide protection against correlation of download size
to packages downloaded, so it doesn't have much advantage over http
for package download privacy.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Reply to:

Follow-Ups:
- Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates
  - From: Rhonda D'Vine <rhonda@deb.at>

References:
- Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates
  - From: Paul Wise <pabs@debian.org>
- Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates
  - From: Martin Monperrus <martin.monperrus@gnieh.org>
- Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates
  - From: Martin Monperrus <martin.monperrus@gnieh.org>
- Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates
  - From: Rhonda D'Vine <rhonda@deb.at>

Prev by Date: Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates
Next by Date: Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates
Previous by thread: Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates
Next by thread: Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates
Index(es):
- Date
- Thread