On Thu, 2014-06-12 at 10:56 +0200, Jakub Wilk wrote: > $ grep -r /soap.cgi lib/ > lib/debian/btssoap.rb: > @server="http://#{host}:#{port}/cgi-bin/soap.cgi"; :-(
> bts(1) and reportbug(1) don't use HTTPS either, AFAICS. :-( > I noticed that http://bugs.debian.org/ started redirecting to the HTTPS > variant recently. But it's only a temporary redirect. Redirects generally don't protect you... > In general, I'd love to see all the d.o services that are currently > available over HTTP to move to HTTPS, with permanent redirects and > STS enabled. Yep :) > >but since Debian nowadays uses certs from GANDI, > > I'm not quite happy about this either. I suppose it's a tradeoff between > security and usability... Well... IMHO it's a bad trade of... Debian has had it's own CA... and all users that got their Debian via some trusted path could have really secure SSL/TLS with Debian... Now we have GANDI, which makes Debian's certs 4th level certs... anyone in the hierarchy above can forge any Debian certs... (not to talk about the problem, that all clients usually trust gazillions of CAs and not just the one we need)... Debian should rather have continued with their own CA and place that even in some country which doesn't have something like national security letters and gag orders. Supplying the Debian Root CA to people not using Debian could have been easily done by a *single* site that uses a cert available in all browsers... which offers the Debian Root CA for secure and "trusted" download. > Last time I checked trust and security were not binary. :> Well actually security *is* black and white... an attacker won't just attack you a "little bit" if he sees a security hole... Cheers, Chris.
smime.p7s
Description: S/MIME cryptographic signature
