Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates

To: Paul Wise <pabs@debian.org>, 893980@bugs.debian.org
Cc: Martin Monperrus <martin.monperrus@gnieh.org>
Subject: Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates
From: Rhonda D'Vine <rhonda@deb.at>
Date: Mon, 26 Mar 2018 16:11:23 +0200
Message-id: <[🔎] 20180326141123.GA17505@anguilla.debian.or.at>
Reply-to: Rhonda D'Vine <rhonda@deb.at>, 893980@bugs.debian.org
In-reply-to: <[🔎] CAKTje6HdGKsWRzcu6abpsg+WNftKmrykZRAwLOEjTrD4F1XB1w@mail.gmail.com>
References: <[🔎] CAKTje6GtbCHjMjK--Wjwdqkmg6FCHZkn2gfMAELa3jhXpomxuA@mail.gmail.com> <[🔎] 152192743813.26308.17503969186490222484.reportbug@beethoven> <[🔎] 8fc734a2-8a98-34de-7b7b-41915204a152@gnieh.org> <[🔎] 20180326133913.GA28430@anguilla.debian.or.at> <[🔎] 152192743813.26308.17503969186490222484.reportbug@beethoven> <[🔎] CAKTje6HdGKsWRzcu6abpsg+WNftKmrykZRAwLOEjTrD4F1XB1w@mail.gmail.com> <[🔎] 152192743813.26308.17503969186490222484.reportbug@beethoven>

* Paul Wise <pabs@debian.org> [2018-03-26 15:52:45 CEST]:
> On Mon, Mar 26, 2018 at 9:39 PM, Rhonda D'Vine wrote:
> > * Martin Monperrus:
> >> Would it make sense to keep track of valid https support for the
> >> secondary mirrors?
> >
> >  Actually the issue still holds: The mirror team needs to repoint
> > mirrors to other servers at times and thus the certificate there
> > wouldn't include those redirected mirrors.
> 
> The mirror team don't control the DNS for secondary mirrors. The
> individual mirror admins could be doing that, but it seems unlikely to
> me.

 Right, but DNS for the primary ones, and pointing them towards a server
that isn't under their control would mean that they'd have to carry a
*.debian.org wildcard certificate.  Which won't happen for non-DSA
operated infrastructure.

> > I am aware that there is a privacy concern involved, like what packages
> > get downloaded, but appart from that that's the only knowledge to gain
> > from unencrypted http traffic.
> 
> https doesn't provide protection against correlation of download size
> to packages downloaded, so it doesn't have much advantage over http
> for package download privacy.

 Ah, right, forgot about that point.  So even that point is moot.
Thanks for pointing that out. :)

 Enjoy,
Rhonda
-- 
Fühlst du dich mutlos, fass endlich Mut, los      |
Fühlst du dich hilflos, geh raus und hilf, los    | Wir sind Helden
Fühlst du dich machtlos, geh raus und mach, los   | 23.55: Alles auf Anfang
Fühlst du dich haltlos, such Halt und lass los    |

Reply to:

Follow-Ups:
- Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates
  - From: Paul Wise <pabs@debian.org>

References:
- Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates
  - From: Paul Wise <pabs@debian.org>
- Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates
  - From: Martin Monperrus <martin.monperrus@gnieh.org>
- Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates
  - From: Martin Monperrus <martin.monperrus@gnieh.org>
- Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates
  - From: Rhonda D'Vine <rhonda@deb.at>
- Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates
  - From: Paul Wise <pabs@debian.org>

Prev by Date: Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates
Next by Date: Bug#887557: www.debian.org: tech-ctte membership updates
Previous by thread: Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates
Next by thread: Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates
Index(es):
- Date
- Thread