On 20 July 2014 10:07, Wouter Verhelst <w...@uter.be> wrote: > With the state of the CA cartel these days, I have little > trust in the strength of HTTPS as a verification mechanism, and so I > wouldn't trust a file to be correct even if it came through an HTTPS > connection that validates. Instead, I would only trust such a file if it > came with a GPG signature from a key that is in the Debian keyring.
Good, because that's not what HTTPS does for you. It makes it more difficult to watch exactly what you're accessing. Suppose for example I uploaded a preseed file to people.debian.org that created a Tor relay, and a suitably large government agency wanted to see all the IP addresses installing it. With HTTP, they just break into the internet backbone at an appropriate point, and log every request for that file in a *completely undetectable manner*. With HTTPS, they either need to break into the machine running people.debian.org, or start presenting a different SSL certificate - both things which can potentially be detected. Another situation is if a dissident accesses people.debian.org via Tor. With HTTP, the operator of the exit node they are using could MITM the request and tamper with the file - no state intervention required. If it's a web page, they could potentially attempt to exploit the browser. >> > Additionally, since debian.org uses DNSSEC, if you can somehow MITM >> > people.debian.org then due to DANE you can MITM it for HTTP as well as >> > HTTPS, so forcing HTTPS really doesn't gain you much. In this scenario, you gain that if the adversary wants to see what you're doing with your HTTPS connection, they need to do something potentially noticable like change the SSL certificate being offered. > Again, I support enabling HTTPS, and I support making it the default > if possible. I just don't think disabling plain HTTP is a good idea. Annoyingly, unless d-i supports SSL (or runs Tor), taking this very sensible move is rather inconvenient. Another potential use for plain HTTP would be if we installed a Tor hidden service on paradis, and published the address in a GPG-signed message. You would avoid the CA cartel, and have some assurance of privacy. Kind regards, -- Tim Retout <dioc...@debian.org> -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/cadc0ge-agleh5eyfkm13mvfxhmumdpamcamofazbzqgashm...@mail.gmail.com
