Your message dated Thu, 24 Aug 2017 21:24:18 +0000
with message-id <e1dkzbu-00013x...@moszumanska.debian.org>
and subject line Debian WWW CVS commit by gusnan fixes #873122
has caused the Debian Bug report #873122,
regarding HTTP Link to Keyring
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
873122: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873122
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: www.debian.org
When downloading a Debian CD there's a webpage explaining how to verify
signatures:
https://www.debian.org/CD/verify
This recommends to check the signatures with the keys from the Debian
GPG keyring. However that link is HTTP, pointing to:
http://keyring.debian.org/
It will immediately redirect to HTTPS, but an attacker could intercept
that redirection and present a user with a malicious keyring instead.
This makes the verification kinda pointless, as the keyring is
delivered over a potentially insecure channel. The lack of HSTS on
debian.org makes this particularly worriesome. Please change that link
to HTTPS.
--- End Message ---
--- Begin Message ---
This bug was closed by gusnan in the webwml CVS repository:
https://www.debian.org/devel/website/using_cvs
Note that it might take some time until www.debian.org has been updated.
CVSROOT: /cvs/webwml
Module name: webwml
Changes by: gusnan 17/08/24 21:24:18
Modified files:
bulgarian/CD : verify.wml
Log message:
Fix https problems (Closes: #873122)
--- End Message ---
