]] Wouter Verhelst > Op zondag 13 juli 2014 22:13:10 schreef Martin Zobel-Helas: > > Furthermore, we will change the people.debian.org web-service such that > > only HTTPS connections will be supported (unencrypted requests will be > > redirected). > > Why?
Because the world is a nastier place than it used to be. It's like the move from telnet to SSH many moons ago, all protocols ought to be encrypted today. > Please note that there remain cases where accessing HTTPS is difficult > or impossible. One of these (but by no means the only one) is the > current release of debian-installer: the wget implementation inside > stable d-i does not support https, so downloading files from people.d.o > (e.g., for preseeding) will become impossible if this is implemented as > stated. Hopefully you're not preseeding from a HTTP source, since that means you're quite vulnerable to trivial MITM attacks unless you do extra checking against checksums (something d-i doesn't support, AFAIK). > Is there an actual attack vector that we're trying to protect against > which requires us to disable plain HTTP, or is this just yet another > instance of the bogus "HTTP is obsolete" idea? There are lots of attack vectors. It's not a response to a single attack being exploited in the wild. -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/877g39f4rs....@xoog.err.no
