Package: www.debian.org When downloading a Debian CD there's a webpage explaining how to verify signatures: https://www.debian.org/CD/verify
This recommends to check the signatures with the keys from the Debian GPG keyring. However that link is HTTP, pointing to: http://keyring.debian.org/ It will immediately redirect to HTTPS, but an attacker could intercept that redirection and present a user with a malicious keyring instead. This makes the verification kinda pointless, as the keyring is delivered over a potentially insecure channel. The lack of HSTS on debian.org makes this particularly worriesome. Please change that link to HTTPS.
