]] Wouter Verhelst > AFAIK, people.debian.org does not allow running server-side HTTP scripts > (and even if it does, I think that's a bad idea and we should disable it > ASAP). As such, people.debian.org is not an interface for reading mail > in your browser over HTTP, or doing IRC, or whatnot. So that argument > simply doesn't apply.
There is no need for server-side HTTP scripts to run IRC in your browser. http://glowing-bear.github.io/glowing-bear/ talks to weechat, for instance. > Instead, people.d.o is a place to allow downloads of files. Period. That's not the only thing people use it for, though. They use it for hosting web pages, their blog and so on. > > > Additionally, since debian.org uses DNSSEC, if you can somehow MITM > > > people.debian.org then due to DANE you can MITM it for HTTP as well as > > > HTTPS, so forcing HTTPS really doesn't gain you much. > > > > Not many HTTP clients support DANE, unfortunately, and MITM-ing > > DNSSEC-secured domains is a bit more effort than just MITM-ing a > > plaintext HTTP connection. > > If you can MITM people.debian.org, you've already MITM'ed a > DNSSEC-secured domain. I see there's some confusion here. I'm talking about a TCP level MITM attack, not a DNS hijacking attack, which seems to be what you're talking about. Hijacking TCP is trivial and happens (intentionally and by mistake) very, very often. > > > > > Is there an actual attack vector that we're trying to protect against > > > > > which requires us to disable plain HTTP, or is this just yet another > > > > > instance of the bogus "HTTP is obsolete" idea? > > > > > > > > There are lots of attack vectors. It's not a response to a single > > > > attack being exploited in the wild. > > > > > > So name one? > > > > To pick a random example off a web page: > > http://ghantoos.org/2012/10/21/cocktail-of-pxe-debian-preseed-ipmi-puppet/ > > > > wget http://people.debian.org/~dannf/add-firmware-to/add-firmware-to > > sed -i 's/lenny/wheezy/' add-firmware-to > > chmod +x add-firmware-to > > ./add-firmware-to initrd.gz initrd.nonfree.gz wheezy > > The problem here is not the idea that someone might MITM > people.debian.org and provide something useless. The problem is a > culture of people who run random code off the web without checking what > it does. That is also a problem, yes. Using HTTP makes it worse than if it was using HTTPS. -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/m2pph0qmq6....@rahvafeir.err.no
