How about if we use a SSL certificate signed by debian's own root CA which can be shipped with the distros? This will eliminate the paranoia about NSA having control over the existing CA especially the one based in the States.
-Vipul On Oct 29, 2013 4:18 AM, "Volker Birk" <v...@pibit.ch> wrote: > On Mon, Oct 28, 2013 at 09:31:35PM -0400, Mark Haase wrote: > > It's a bit ironic that the Debian security site doesn't offer SSL, right? > > If an attacker can MITM an organization that uses Debian, then they can > > MITM the Debian security page and control what security bulletins that > > organization can access. > > BTW: if the NSA take one single trusted CA (and they did for sure), > HTTPS is b0rken for each site. > > Yours, > VB. > -- > Volker Birk > Oberer Graben 4, 8400 Winterthur, Schweiz > mailto:v...@dingens.org http://fdik.org >
