It's a bit ironic that the Debian security site doesn't offer SSL, right? If an attacker can MITM an organization that uses Debian, then they can MITM the Debian security page and control what security bulletins that organization can access.
I'm also concerned because this same domain hosts automated security content, e.g. http://www.debian.org/security/oval/oval-definitions-2013.xml. In the future, organizations may be running software that automatically makes decisions about security policies based on the SCAP content in files such as this. If an attacker can MITM this automated security mechanism, then the attacker can interfere with or blind the organization's automated security tools. I'd like to suggest that Debian should at least use SSL on their security site, even if nowhere else. Cheer, -- Mark E. Haase CISSP, CEH Sr. Security Software Engineer www.lunarline.com 3300 N Fairfax Drive, Suite 308, Arlington, VA 22201
