subject:"Bug#893980\: www.debian.org\: Many mirrors have no or untrusted HTTPS certificates"

Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates

2018-03-27 Thread Paul Wise

On Tue, 2018-03-27 at 09:24 +0200, Martin Monperrus wrote:

> If some primary mirrors support HTTPS with a proper certificate

As Rhonda and I said before, that isn't possible because of the
requirements on the ftp.*.debian.org domains.

> What would be great is a list of all mirrors which support HTTPS with
> a proper certificate. That list can be maintained automatically.

I'm sure the mirror monitoring team would welcome help with that,
their code is available here and their results are available here:

https://salsa.debian.org/mirror-team/
https://mirror-master.debian.org/

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

signature.asc
Description: This is a digitally signed message part

Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates

2018-03-27 Thread Martin Monperrus


> Martin was talking about tracking https availability for the secondary
> mirrors, which don't have an associated ftp.*.debian.org DNS record.
>
If some primary mirrors support HTTPS with a proper certificate, that would be 
useful as well (eg
https://ftp.am.debian.org/debian/ doesn't).

What would be great is a list of all mirrors (both primary and secondary) which 
support HTTPS with a
proper certificate. That list can likely be maintained automatically.

Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates

2018-03-26 Thread Paul Wise

On Mon, Mar 26, 2018 at 10:11 PM, Rhonda D'Vine wrote:

>  Right, but DNS for the primary ones, and pointing them towards a server
> that isn't under their control would mean that they'd have to carry a
> *.debian.org wildcard certificate.  Which won't happen for non-DSA
> operated infrastructure.

Martin was talking about tracking https availability for the secondary
mirrors, which don't have an associated ftp.*.debian.org DNS record.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates

2018-03-26 Thread Rhonda D'Vine

* Paul Wise  [2018-03-26 15:52:45 CEST]:
> On Mon, Mar 26, 2018 at 9:39 PM, Rhonda D'Vine wrote:
> > * Martin Monperrus:
> >> Would it make sense to keep track of valid https support for the
> >> secondary mirrors?
> >
> >  Actually the issue still holds: The mirror team needs to repoint
> > mirrors to other servers at times and thus the certificate there
> > wouldn't include those redirected mirrors.
> 
> The mirror team don't control the DNS for secondary mirrors. The
> individual mirror admins could be doing that, but it seems unlikely to
> me.

 Right, but DNS for the primary ones, and pointing them towards a server
that isn't under their control would mean that they'd have to carry a
*.debian.org wildcard certificate.  Which won't happen for non-DSA
operated infrastructure.

> > I am aware that there is a privacy concern involved, like what packages
> > get downloaded, but appart from that that's the only knowledge to gain
> > from unencrypted http traffic.
> 
> https doesn't provide protection against correlation of download size
> to packages downloaded, so it doesn't have much advantage over http
> for package download privacy.

 Ah, right, forgot about that point.  So even that point is moot.
Thanks for pointing that out. :)

 Enjoy,
Rhonda
-- 
Fühlst du dich mutlos, fass endlich Mut, los  |
Fühlst du dich hilflos, geh raus und hilf, los| Wir sind Helden
Fühlst du dich machtlos, geh raus und mach, los   | 23.55: Alles auf Anfang
Fühlst du dich haltlos, such Halt und lass los|

Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates

2018-03-26 Thread Paul Wise

On Mon, Mar 26, 2018 at 9:39 PM, Rhonda D'Vine wrote:
> * Martin Monperrus:
>> Would it make sense to keep track of valid https support for the
>> secondary mirrors?
>
>  Actually the issue still holds: The mirror team needs to repoint
> mirrors to other servers at times and thus the certificate there
> wouldn't include those redirected mirrors.

The mirror team don't control the DNS for secondary mirrors. The
individual mirror admins could be doing that, but it seems unlikely to
me.

> I am aware that there is a privacy concern involved, like what packages
> get downloaded, but appart from that that's the only knowledge to gain
> from unencrypted http traffic.

https doesn't provide protection against correlation of download size
to packages downloaded, so it doesn't have much advantage over http
for package download privacy.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates

2018-03-26 Thread Rhonda D'Vine

   Hi Martin,

* Martin Monperrus  [2018-03-26 11:54:12 CEST]:
> Hi Pabs,
> 
> > The Debian mirror team don't keep track of https support for the
> > secondary mirrors
>
> Would it make sense to keep track of valid https support for the
> secondary mirrors?

 Actually the issue still holds: The mirror team needs to repoint
mirrors to other servers at times and thus the certificate there
wouldn't include those redirected mirrors.

 I am aware that there is a privacy concern involved, like what packages
get downloaded, but appart from that that's the only knowledge to gain
from unencrypted http traffic. apt itself does verify the packages
through the locally installed keychain and the checksums through the
signed Release file, so injecting other packages isn't really an issue
AIUI.  Given that the release file also has a date stored and TTBOMK apt
warns about aged release files it shouldn't be much of an issue to sneak
in an older Release file.

 At least the explenation that I picked up when this was asked before
went along those lines.  Guess if I understood it wrongly I'll get
corrected on it.

 Enjoy,
Rhonda
-- 
Fühlst du dich mutlos, fass endlich Mut, los  |
Fühlst du dich hilflos, geh raus und hilf, los| Wir sind Helden
Fühlst du dich machtlos, geh raus und mach, los   | 23.55: Alles auf Anfang
Fühlst du dich haltlos, such Halt und lass los|

Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates

2018-03-26 Thread Paul Wise

On Mon, Mar 26, 2018 at 5:54 PM, Martin Monperrus wrote:

> Would it make sense to keep track of valid https support for the
> secondary mirrors?

If it could be done automatically I guess.
Please contact the mirror team about this.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates

2018-03-26 Thread Martin Monperrus

Hi Pabs,

Thanks for your answer.

> The Debian mirror team don't keep track of https support for the
> secondary mirrors
Would it make sense to keep track of valid https support for the
secondary mirrors?

Best,--Martin

Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates

2018-03-24 Thread Paul Wise

On Sun, Mar 25, 2018 at 5:37 AM, Martin Monperrus wrote:

> Switching my APT config to HTTPS, I notice that many mirrors either do not
> support HTTPS or have untrusted HTTPS certificates

This isn't something the Debian website team can fix, please contact
the admin for each mirror individually.

> (eg https://mirror-csail.debian.org/)

That hostname is not a public Debian mirror and doesn't support https,
what gave you the impression it was?

> It would be great to update the reference page
> https://www.debian.org/mirror/list to clearly show all mirrors supporting 
> HTTPS
> with a valid certificate.

The primary mirrors ftp.*.debian.org cannot support https because the
mirror team have to be able to repoint the domains at different
mirrors when one goes down.

The Debian mirror team don't keep track of https support for the
secondary mirrors so the website team cannot add information about
that to the website.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates

2018-03-24 Thread Martin Monperrus

Package: www.debian.org
Severity: normal

Dear Maintainer,

Switching my APT config to HTTPS, I notice that many mirrors either do not
support HTTPS or have untrusted HTTPS certificates (eg https://mirror-
csail.debian.org/)

It would be great to update the reference page
https://www.debian.org/mirror/list to clearly show all mirrors supporting HTTPS
with a valid certificate.



-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), 
LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates

Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates

Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates

Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates

Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates

Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates

Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates

Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates

Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates

Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates

10 matches

Site Navigation

Mail list logo

Footer information