Bug#844790: ftp.debian.org has broken HTTPS
On Mon, Nov 21, 2016 at 07:33:13PM -0500, Luke wrote: > Debian is a cluster of confusion In that much I agree, but I find it funny most of the time (though I can see it as discouraging too) > All I know is many downstream sources are actively using ftp.debian.org > to compile packages. They rarely check hash checks, cannot check GPG (as > it does not exist) well, they are buggy. What do you mean "cannot check GPG (*as it does not exist*)" ?! Everything that is in the Debian archive is somehow gpg signed (either directly through inline signatures, or indirectly through signatures of listing files like Sources). > and depend solely on HTTP as their method of > obtaining Debian sources and compiling for down stream. MiTM is a large > factor in this case, and is reproducibly easy to do. well, then stop trusting plain old dumb HTTP, and check the hashes of files, hashes that are to be checked through the gpg signatures on them, against the debian archive auto-signing key that is widely distributed. > Since you've closed this bug, where else can I go? Where is upstream? "upstream" here would be the Debian System Administrators, whom handle the machines and the network and all of the system setup. -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `- signature.asc Description: PGP signature
Bug#844790: ftp.debian.org has broken HTTPS
On 11/20/2016 09:02 AM, Joerg Jaspert wrote: > On 14496 March 1977, Luke wrote: > >> When navigating to https://ftp.debian.org it fails to load, due to >> improperly configured HTTPS. >> Firefox gives - Error code: SEC_ERROR_UNKNOWN_ISSUER >> Other subdomains of Debian do not have this problem. Providing HTTPS on this >> domain provides security from MITM attacks among other concerns. > https does not help *anything* for the archive. MITM is no issue here. > > And ftpmaster does not run ftp.debian.org, wrong place. > In all respect, Debian is a cluster of confusion and no help. I originally placed the bug against debian-www (https://lists.debian.org/debian-www/2016/11/msg00033.html) and was told that they are not in charge of it, and to file a bug here. All I know is many downstream sources are actively using ftp.debian.org to compile packages. They rarely check hash checks, cannot check GPG (as it does not exist), and depend solely on HTTP as their method of obtaining Debian sources and compiling for down stream. MiTM is a large factor in this case, and is reproducibly easy to do. Since you've closed this bug, where else can I go? Where is upstream? Thank you. - Luke signature.asc Description: OpenPGP digital signature
Bug#844790: ftp.debian.org has broken HTTPS
On 14496 March 1977, Luke wrote: > When navigating to https://ftp.debian.org it fails to load, due to improperly > configured HTTPS. > Firefox gives - Error code: SEC_ERROR_UNKNOWN_ISSUER > Other subdomains of Debian do not have this problem. Providing HTTPS on this > domain provides security from MITM attacks among other concerns. https does not help *anything* for the archive. MITM is no issue here. And ftpmaster does not run ftp.debian.org, wrong place. -- bye, Joerg
Bug#844790: ftp.debian.org has broken HTTPS
Package: ftp.debian.org,security.debian.org Severity: minor When navigating to https://ftp.debian.org it fails to load, due to improperly configured HTTPS. Firefox gives - Error code: SEC_ERROR_UNKNOWN_ISSUER Other subdomains of Debian do not have this problem. Providing HTTPS on this domain provides security from MITM attacks among other concerns.
