I would like to revive this two-year-old debate. 1. Not everyone is convinced that HTTPS is a valuable and worthwile.
I encourage doubters to re-read these threads: https://lists.debian.org/debian-security/2014/07/msg00002.html https://lists.debian.org/debian-security/2014/07/msg00022.html And add:- Yes, checksums and signatures provide package integrity, but HTTPS provides communication confidentiality, a valuable asset. - Yes, traffic analysis is still possible, but HTTPS provides a decent protection against all but very skilled and resouceful attackers. - Yes, Tor Hidden Services are even better (and I use them), but they don't scale and they can't easily be enabled by default, HTTPS can.
2. There are some issues about certificate handling and verification.Since this thread, Let's Encrypt has launched - and it's very successful: https://letsencrypt.org/2016/06/22/https-progress-june-2016.html Most mirror operators should be able to obtain and maintain a Let's Encrypt vertificate.
3. "Provide HTTPS" is a little vague. There are quite a few different different tasks to make progress:
A. "apt-transport-https can be included by default in Debian"This has been suggested repeatedly. How about giving that package the priority level "important"? https://www.debian.org/doc/debian-policy/ch-archive.html#s-priorities
B. "include existing HTTPS mirrors wherever Debian mirrors are listed"So far there's only an inofficial list at http://noodle.portalus.net/debian_https_mirrors.txt. There's no mention of HTTPS-enabled mirrors on https://www.debian.org/mirror/list.
Let's add the existing HTTPS-mirrors there.And let's add a either a table column - or better: a section of the page - devoted to HTTPS-capability.
C. Encourage mirror operators to provide HTTPSCurrently, "Setting up a Debian archive mirror" https://www.debian.org/mirror/ftpmirror has no mention of HTTPS.
Let's add a section why and how to set up a mirror with HTTPS. D. Encourage Official Debian mirrors to provide HTTPSCurrently, "Official Debian mirrors" https://www.debian.org/mirror/official has no mention of HTTPS.
Let's add a section why and how to add HTTPS to official mirrors.I would even propose to add HTTPS to the protocols, "the mirror should be made available at least via".
E. Encourage users to use HTTPS mirrors Currently, the default sources.list has no mention of HTTPS. Let's add a HTTPS-enabled mirror, uncommented by default (for now). Currently, https://wiki.debian.org/SourcesList has no mention of HTTPS. Let's add a section why and how to use HTTPS mirrors.So much for me. Please feel free to add or specify more workable chunks to get this moving.
PS: HTTP Must Die. https://www.youtube.com/watch?v=Mg-pfkK97gY -- ilf Über 80 Millionen Deutsche benutzen keine Konsole. Klick dich nicht weg! -- Eine Initiative des Bundesamtes für Tastaturbenutzung
signature.asc
Description: PGP signature
