Bug#873122: HTTP Link to Keyring

2017-08-24 Thread Andreas Ronnquist 
On Thu, 24 Aug 2017 19:53:59 +0200,
Hanno Böck wrote:

>Package: www.debian.org
>
>When downloading a Debian CD there's a webpage explaining how to verify
>signatures:
>https://www.debian.org/CD/verify
>
>This recommends to check the signatures with the keys from the Debian
>GPG keyring. However that link is HTTP, pointing to:
>http://keyring.debian.org/
>
>It will immediately redirect to HTTPS, but an attacker could intercept
>that redirection and present a user with a malicious keyring instead.
>
>This makes the verification kinda pointless, as the keyring is
>delivered over a potentially insecure channel. The lack of HSTS on
>debian.org makes this particularly worriesome. Please change that link
>to HTTPS.
>

Thanks guys, this has been fixed in the CVS repository (including
translations) - It will be visible on the debian web pages when it has
been rebuilt (It rebuilds several times a day).

Thanks for your report!

-- Andreas Rönnquist
mailingli...@gusnan.se
gus...@debian.org

Bug#873122: HTTP Link to Keyring

2017-08-24 Thread Phil 
Note that this will also need to be applied for all the translated
pages as well. Please let me know if there's anything I can do to speed
the process up.

Bug#873122: HTTP Link to Keyring

2017-08-24 Thread Phil 
Package: www.debian.org
Severity: normal
Tags: patch

I'm attaching the original wml file + patches to change http to https.

I wanted to rename them version 1.5 /1.6 etc but didn't want to put an
extra dot. Do let me know what's good practice as this is just my
second patch submitted.

On Thu, 24 Aug 2017 21:28:00 +0100 Phil  wrote:
> Hi Hanno,
> 
> Thank you very much for bringing this to our attention.
> 
> I'll submit a patch shortly for approval to get this amended.
> 
> Please do let us know if you spot anything else!
> 
> Phil
> 
> On Thu, 24 Aug 2017 19:53:59 +0200 Hanno =?UTF-8?B?QsO2Y2s=?=  oeck.de> wrote:
> > Package: www.debian.org
> > 
> > When downloading a Debian CD there's a webpage explaining how to
> verify
> > signatures:
> > https://www.debian.org/CD/verify
> > 
> > This recommends to check the signatures with the keys from the
Debian
> > GPG keyring. However that link is HTTP, pointing to:
> > http://keyring.debian.org/
> > 
> > It will immediately redirect to HTTPS, but an attacker could
> intercept
> > that redirection and present a user with a malicious keyring
instead.
> > 
> > This makes the verification kinda pointless, as the keyring is
> > delivered over a potentially insecure channel. The lack of HSTS on
> > debian.org makes this particularly worriesome. Please change that
> link
> > to HTTPS.
> > 
> > 
> -- 
> Phil
> 
> 
-- 
Phil#use wml::debian::cdimage title="Verifying authenticity of Debian CDs" BARETITLE=true


Official releases of Debian CDs come with signed checksum files;
look for them alongside the images in the iso-cd,
jigdo-dvd, iso-hybrid etc. directories.
These allow you to check that the images you download are correct.
First of all, the checksum can be used to check that the CDs have not
been corrupted during download.
Secondly, the signatures on the checksum files allow you to confirm
that the files are the ones officially released by the Debian CD /
Debian Live team and have not been tampered with.



To validate the contents of a CD image, just be sure to use the
appropriate checksum tool.
Cryptographically strong checksum
algorithms (SHA256 and SHA512) are available for every releases; you should use the tools
sha256sum or sha512sum to work with these.



To ensure that the checksums files themselves are correct, use GnuPG to
verify them against the accompanying signature files (e.g.
SHA512SUMS.sign).
The keys used for these signatures are all in the https://keyring.debian.org";>Debian GPG keyring and the best
way to check them is to use that keyring to validate via the web of
trust.
To make life easier for users, here are the fingerprints for the keys
that have been used for releases in recent years:


#include "$(ENGLISHDIR)/CD/CD-keys.data"
--- verify_v15.wml	2017-08-24 21:29:56.068732095 +0100
+++ verify_v16.wml	2017-08-24 21:31:26.540391738 +0100
@@ -25,7 +25,7 @@
 verify them against the accompanying signature files (e.g.
 SHA512SUMS.sign).
 The keys used for these signatures are all in the http://keyring.debian.org";>Debian GPG keyring and the best
+href="https://keyring.debian.org";>Debian GPG keyring and the best
 way to check them is to use that keyring to validate via the web of
 trust.
 To make life easier for users, here are the fingerprints for the keys
#use wml::debian::cdimage title="Verifying authenticity of Debian CDs" BARETITLE=true


Official releases of Debian CDs come with signed checksum files;
look for them alongside the images in the iso-cd,
jigdo-dvd, iso-hybrid etc. directories.
These allow you to check that the images you download are correct.
First of all, the checksum can be used to check that the CDs have not
been corrupted during download.
Secondly, the signatures on the checksum files allow you to confirm
that the files are the ones officially released by the Debian CD /
Debian Live team and have not been tampered with.



To validate the contents of a CD image, just be sure to use the
appropriate checksum tool.
Cryptographically strong checksum
algorithms (SHA256 and SHA512) are available for every releases; you should use the tools
sha256sum or sha512sum to work with these.



To ensure that the checksums files themselves are correct, use GnuPG to
verify them against the accompanying signature files (e.g.
SHA512SUMS.sign).
The keys used for these signatures are all in the http://keyring.debian.org";>Debian GPG keyring and the best
way to check them is to use that keyring to validate via the web of
trust.
To make life easier for users, here are the fingerprints for the keys
that have been used for releases in recent years:


#include "$(ENGLISHDIR)/CD/CD-keys.data"

Bug#873122: HTTP Link to Keyring

2017-08-24 Thread Phil 
Hi Hanno,

Thank you very much for bringing this to our attention.

I'll submit a patch shortly for approval to get this amended.

Please do let us know if you spot anything else!

Phil

On Thu, 24 Aug 2017 19:53:59 +0200 Hanno =?UTF-8?B?QsO2Y2s=?=  wrote:
> Package: www.debian.org
> 
> When downloading a Debian CD there's a webpage explaining how to
verify
> signatures:
> https://www.debian.org/CD/verify
> 
> This recommends to check the signatures with the keys from the Debian
> GPG keyring. However that link is HTTP, pointing to:
> http://keyring.debian.org/
> 
> It will immediately redirect to HTTPS, but an attacker could
intercept
> that redirection and present a user with a malicious keyring instead.
> 
> This makes the verification kinda pointless, as the keyring is
> delivered over a potentially insecure channel. The lack of HSTS on
> debian.org makes this particularly worriesome. Please change that
link
> to HTTPS.
> 
> 
-- 
Phil

Bug#873122: HTTP Link to Keyring

2017-08-24 Thread Hanno Böck 
Package: www.debian.org

When downloading a Debian CD there's a webpage explaining how to verify
signatures:
https://www.debian.org/CD/verify

This recommends to check the signatures with the keys from the Debian
GPG keyring. However that link is HTTP, pointing to:
http://keyring.debian.org/

It will immediately redirect to HTTPS, but an attacker could intercept
that redirection and present a user with a malicious keyring instead.

This makes the verification kinda pointless, as the keyring is
delivered over a potentially insecure channel. The lack of HSTS on
debian.org makes this particularly worriesome. Please change that link
to HTTPS.