Bug#725092: HTTPS should be supported on www.debian.org
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, I see that HTTPS was enabled for www.debian.org https://lists.debian.org/debian-www/2014/02/msg00041.html Could you please also set HSTS (HTTP Strict Transport Security) for www.debian.org ? HSTS will help to protect users from SSL-stripping attacks. This can be done on Apache using: # load module (example using [RHEL]) LoadModule headers_module modules/mod_headers.so VirtualHost 10.0.0.1:443 # Use HTTP Strict Transport Security to force client to use secure connections only Header always set Strict-Transport-Security max-age=31536000; includeSubDomains /VirtualHost Please consider also getting a SSL certificate for your subdomain search.debian.org. There is a very good talk from Adam Langley (the engineer behind Google’s HTTPS serving infrastructure and Google Chrome’s network stack) about securing web sited with HTTPS: HOPE number 9 (2012) | 2600 - The State of HTTPS https://www.youtube.com/watch?v=LBbCec4Bp10 Milan On 23.10.2013 14:29, Milan Kral wrote: It would useful to have HTTPS because of the wide spread mass surveillance https://en.wikipedia.org/wiki/2013_mass_surveillance_disclosures#.22Mastering_the_Internet.22 https://en.wikipedia.org/wiki/Bullrun_%28code_name%29 ** Tue, 01 Oct 2013 14:26:53 +0200 - 725...@bugs.debian.org, Gerfried Fuchs rho...@deb.at ** HTTPS makes MiTM attacks harder. There is important information on www.debian.org which should be protected against modification. For example GPG fingerprints: http://www.debian.org/CD/verify Of course GPG keys should be checked using Web of Trust, but HTTPS could be the first layer of protection. From the user point of view it's automatic and transparent. keyring.debian.org doesn't support HTTPS ... ** Tue, 1 Oct 2013 13:59:28 +0200 - 725...@bugs.debian.org, Gerfried Fuchs rho...@deb.at ** * milan.kral milan.k...@azet.sk [2013-10-01 13:34:05 CEST]: www.debian.org is important main Debian web page, but it doesn't support https. Could it be possible to enable HTTPS? For example lists.debian.org, wiki.debian.org support HTTPS. Because on lists.debian.org you have subscribe information, handing over email addresses that you might not want to get eavesdropped, and on wiki you have login information that you clearly don't want to have go unencrypted over the wire. What information you consider exchanging with www.debian.org that you consider sensitive and needing https? Because we can doesn't sound very convincing to me. :) Enjoy! Rhonda -- Fühlst du dich mutlos, fass endlich Mut, los | Fühlst du dich hilflos, geh raus und hilf, los| Wir sind Helden Fühlst du dich machtlos, geh raus und mach, los | 23.55: Alles auf Anfang Fühlst du dich haltlos, such Halt und lass los| -BEGIN PGP SIGNATURE- iQJ8BAEBCgBmBQJTJtBAXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxQUY0RDVDMjhBOEQ2RkM3RjEwOUI1MzQ5 QzIzRDIwRkJGNTk0NTFFAAoJEJwj0g+/WUUetWAP/24nyFhfeCCmOkfQS80nB7C9 TVn/mt+Cvw3Vxbd4puQd0S1/tCwqtUIgbABoPrw+ugiVPQlPHzKtS6x4pnf+4LQ0 l3FFW+gug2mlRJ1Rt0r8B+OWboWQntCuE6dU7yGSyIwtJGYPVDEMJ27a9+cFuFDn 1q7Q6kUIxNrV07nmc+i0h6JXDTPXsdJJPJ6h9tPXUBEotgPFkKQwhbiXKLfXf2FT 6qsaRGJxRpn/QDneF3J97viLtGS7Xnb3rzhfCENgO7ZMeBqKCsWvAxxHbjbuoPD5 Ev1x50gETqOd8UhLTQQ7jz3PW/qewSFG28VubaKQNPfHVy99/4ryKJ5g4+je0O6g 9NKy6Wk0gZ8L+jwW2uJghPOdYE5nJ9alNL+cY0EN6GdRv8aPi5dVC6krtC4Y4x9X BIcb/ENTEzWkG2ZDaI/hvEUKzRZjR4mfV2jlR/Q5m2n95aSPOwQJ+rGTuZ6pyKLp IrxJBSTnE8Ch9Nq/d7EvxAdTirWv1ZFlHvaJoRdnycMkecDNZHRrGl9v8AfKs8iW nyUvNa9mm/gWth3RwlR4JZZUFHy7IcVJ6K92ZbhxWUU7HnIXMwUFBhfc0OB271rM aPbwH87Fm0EYCXnmTPC9ykludCCdh70jurD7/1jauRo69ebnKtuYiGxQ0Qq517Ey qHOqWLJhSgZzXditrcQc =8Mer -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#725092: HTTPS should be supported on www.debian.org
On Mon, Mar 17, 2014 at 6:36 PM, Milan Kral wrote: Could you please also set HSTS (HTTP Strict Transport Security) for www.debian.org ? Already done when HTTPS was enabled: $ HEAD https://www.debian.org | grep S.*T.*S Strict-Transport-Security: max-age=5184000 Please consider also getting a SSL certificate for your subdomain search.debian.org. The Debian website team is not able to do that, please contact the Debian sysadmin team: https://wiki.debian.org/Teams/DSA#Interacting_with_the_team -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#725092: HTTPS should be supported on www.debian.org
It would useful to have HTTPS because of the wide spread mass surveillance https://en.wikipedia.org/wiki/2013_mass_surveillance_disclosures#.22Mastering_the_Internet.22 https://en.wikipedia.org/wiki/Bullrun_%28code_name%29 ** Tue, 01 Oct 2013 14:26:53 +0200 - 725...@bugs.debian.org, Gerfried Fuchs rho...@deb.at ** HTTPS makes MiTM attacks harder. There is important information on www.debian.org which should be protected against modification. For example GPG fingerprints: http://www.debian.org/CD/verify Of course GPG keys should be checked using Web of Trust, but HTTPS could be the first layer of protection. From the user point of view it's automatic and transparent. keyring.debian.org doesn't support HTTPS ... ** Tue, 1 Oct 2013 13:59:28 +0200 - 725...@bugs.debian.org, Gerfried Fuchs rho...@deb.at ** * milan.kral milan.k...@azet.sk [2013-10-01 13:34:05 CEST]: www.debian.org is important main Debian web page, but it doesn't support https. Could it be possible to enable HTTPS? For example lists.debian.org, wiki.debian.org support HTTPS. Because on lists.debian.org you have subscribe information, handing over email addresses that you might not want to get eavesdropped, and on wiki you have login information that you clearly don't want to have go unencrypted over the wire. What information you consider exchanging with www.debian.org that you consider sensitive and needing https? Because we can doesn't sound very convincing to me. :) Enjoy! Rhonda -- Fühlst du dich mutlos, fass endlich Mut, los | Fühlst du dich hilflos, geh raus und hilf, los| Wir sind Helden Fühlst du dich machtlos, geh raus und mach, los | 23.55: Alles auf Anfang Fühlst du dich haltlos, such Halt und lass los| -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#725092: HTTPS should be supported on www.debian.org
Package: www.debian.org Severity: wishlist Hi, www.debian.org is important main Debian web page, but it doesn't support https. Could it be possible to enable HTTPS? For example lists.debian.org, wiki.debian.org support HTTPS. bugs.debian.org should also support HTTPS Kind regards, Milan Kral -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#725092: HTTPS should be supported on www.debian.org
* milan.kral milan.k...@azet.sk [2013-10-01 13:34:05 CEST]: www.debian.org is important main Debian web page, but it doesn't support https. Could it be possible to enable HTTPS? For example lists.debian.org, wiki.debian.org support HTTPS. Because on lists.debian.org you have subscribe information, handing over email addresses that you might not want to get eavesdropped, and on wiki you have login information that you clearly don't want to have go unencrypted over the wire. What information you consider exchanging with www.debian.org that you consider sensitive and needing https? Because we can doesn't sound very convincing to me. :) Enjoy! Rhonda -- Fühlst du dich mutlos, fass endlich Mut, los | Fühlst du dich hilflos, geh raus und hilf, los| Wir sind Helden Fühlst du dich machtlos, geh raus und mach, los | 23.55: Alles auf Anfang Fühlst du dich haltlos, such Halt und lass los| -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org