On Thu, 24 Aug 2017 19:53:59 +0200, Hanno Böck<ha...@hboeck.de> wrote:
>Package: www.debian.org > >When downloading a Debian CD there's a webpage explaining how to verify >signatures: >https://www.debian.org/CD/verify > >This recommends to check the signatures with the keys from the Debian >GPG keyring. However that link is HTTP, pointing to: >http://keyring.debian.org/ > >It will immediately redirect to HTTPS, but an attacker could intercept >that redirection and present a user with a malicious keyring instead. > >This makes the verification kinda pointless, as the keyring is >delivered over a potentially insecure channel. The lack of HSTS on >debian.org makes this particularly worriesome. Please change that link >to HTTPS. > Thanks guys, this has been fixed in the CVS repository (including translations) - It will be visible on the debian web pages when it has been rebuilt (It rebuilds several times a day). Thanks for your report! -- Andreas Rönnquist mailingli...@gusnan.se gus...@debian.org