[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates

* Paul Wise <pabs@debian.org> [2018-03-26 15:52:45 CEST]:
> On Mon, Mar 26, 2018 at 9:39 PM, Rhonda D'Vine wrote:
> > * Martin Monperrus:
> >> Would it make sense to keep track of valid https support for the
> >> secondary mirrors?
> >
> >  Actually the issue still holds: The mirror team needs to repoint
> > mirrors to other servers at times and thus the certificate there
> > wouldn't include those redirected mirrors.
> The mirror team don't control the DNS for secondary mirrors. The
> individual mirror admins could be doing that, but it seems unlikely to
> me.

 Right, but DNS for the primary ones, and pointing them towards a server
that isn't under their control would mean that they'd have to carry a
*.debian.org wildcard certificate.  Which won't happen for non-DSA
operated infrastructure.

> > I am aware that there is a privacy concern involved, like what packages
> > get downloaded, but appart from that that's the only knowledge to gain
> > from unencrypted http traffic.
> https doesn't provide protection against correlation of download size
> to packages downloaded, so it doesn't have much advantage over http
> for package download privacy.

 Ah, right, forgot about that point.  So even that point is moot.
Thanks for pointing that out. :)

Fühlst du dich mutlos, fass endlich Mut, los      |
Fühlst du dich hilflos, geh raus und hilf, los    | Wir sind Helden
Fühlst du dich machtlos, geh raus und mach, los   | 23.55: Alles auf Anfang
Fühlst du dich haltlos, such Halt und lass los    |

Reply to: