On Sun, Jan 23, 2011 at 12:34 PM, AK wrote: > Hi all, > > a small disclaimer first, I am not affiliated with debian in any way, I > am, as the original author would have put it a user. I would like to > play devil's advocate in a few of the quite interesting points that Naja > raises: > > 1) Why is *getting* debian over plain HTTP such a big issue? Assuming > that even you get a tampered .iso, it is trivial to verify that it is > not the genuine one, even in using a "broken" hash algorithm such as > MD5. SSL-enabling all downloads from Debian would have the unfortunate > side effects of increasing the load on the servers, requiring more > budget from the Debian team, as well as meaning losing a few mirrors > around the globe. Personally, I view it as a reasonable risk, provided > that the end user verifies the .iso image before installing.
There is no need to worry about additional load on the mirrors since the only thing that needs to be verifiable are the checksums themselves, and that could easily be hosted on a centralized https server separate from the mirror system. > Having said the above, the question is how could someone help by > donating time/skills to address the points raised by the original poster? This is one of the downsides of an all-volunteer organization: someone actually needs to be interested, self-motivated, and willing to work on the issue at hand. However, in this case it will be hard for any non-DD to effect any change directly. You will need to work with appropriate teams. One thing that could be done is to draft up some better wording for the faq and media download pages, then work with the www team to get those changes implemented. Also, a discussion could be started with SPI to see if they are willing to purchase a CA cert. That would at least allow users with implicit trust in the CA system to get a nice fuzzy feeling when they see the lock icon when downloading checksums. Anyway, to sum up, things can certainly be improved; it just requires someone to step up and work with the affected teams to make the desired changes. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktik1ghfan0das1vrp4gn9libqg3jlauayvavw...@mail.gmail.com
