Hello,
I would use Tor hidden service instead of SSL.
Greetings from Bulgaria,
Nikolay Kubarelov
On 10/29/2013 03:31 AM, Mark Haase wrote:
It's a bit ironic that the Debian security site doesn't offer SSL,
right? If an attacker can MITM an organization that uses Debian, then
they can MITM the Debian security page and control what security
bulletins that organization can access.
I'm also concerned because this same domain hosts automated security
content, e.g.
http://www.debian.org/security/oval/oval-definitions-2013.xml.
In the future, organizations may be running software that
automatically makes decisions about security policies based on the
SCAP content in files such as this. If an attacker can MITM this
automated security mechanism, then the attacker can interfere with or
blind the organization's automated security tools.
I'd like to suggest that Debian should at least use SSL on their
security site, even if nowhere else.
Cheer,
--
Mark E. Haase
CISSP, CEH
Sr. Security Software Engineer
www.lunarline.com <http://www.lunarline.com>
3300 N Fairfax Drive, Suite 308, Arlington, VA 22201
