Hi,
quite some people around me use debian with view of creating secure
encrypted systems. Consider for example in france boum.org, who have
published a book about computer security which advises people to use debian.
Those people turn to me with questions about how safe things are and want
Hi all,
a small disclaimer first, I am not affiliated with debian in any way, I
am, as the original author would have put it a user. I would like to
play devil's advocate in a few of the quite interesting points that Naja
raises:
1) Why is *getting* debian over plain HTTP such a big issue?
On dim., 2011-01-23 at 17:35 +0100, Naja Melan wrote:
Some weeks ago I decided to have a look at debian and quite soon ran into
questions and problems considering the security of debian. I would like to
share some of those questions, remarks in this mail in the hope of
stimulating a discussion
On Sun, 2011-01-23 at 19:34 +0200, AK wrote:
a small disclaimer first, I am not affiliated with debian in any way,
I am, as the original author would have put it a user.
The same goes for me, so I suppose my remarks should be taken with a
comparably-sized grain of salt. :) That said:
1)
Thanks for the reply and the links Robert.
I agree with your point on SSL/TLS not being as computationally
expensive as it used to be, however (as you correctly state) it can be
more of an issue regarding management/resources, as well as red tape.
Regarding Google's statement with SSL/TLS cost
In 4d3c66a0.80...@gmail.com, AK wrote:
3) Regarding policies, I think that unfortunately Debian has a bad
record (cough, cough, openSSL PRNG circa 2008)
The patch file that introduced that security issue can be broken into two
parts that don't overlap: (a) the part that fixed the policy
Quoting Naja Melan (najame...@gmail.com):
Some weeks ago I decided to have a look at debian and quite soon ran into
questions and problems considering the security of debian. I would like to
share some of those questions, remarks in this mail in the hope of
stimulating a discussion[...]
It
On Sun, Jan 23, 2011 at 12:34 PM, AK wrote:
Hi all,
a small disclaimer first, I am not affiliated with debian in any way, I
am, as the original author would have put it a user. I would like to
play devil's advocate in a few of the quite interesting points that Naja
raises:
1) Why is
On Sun, 2011-01-23 at 19:32 -0500, Michael Gilbert wrote:
Also, a discussion could be started with SPI to see if they are
willing to purchase a CA cert. That would at least allow users with
implicit trust in the CA system to get a nice fuzzy feeling when they
see the lock icon when
Michael Gilbert wrote:
There is no need to worry about additional load on the mirrors since
the only thing that needs to be verifiable are the checksums
themselves, and that could easily be hosted on a centralized https
server separate from the mirror system.
The Debian CDs and the Archive
On Sun, 23 Jan 2011 20:22:34 -0600 Raphael Geissert wrote:
Michael Gilbert wrote:
There is no need to worry about additional load on the mirrors since
the only thing that needs to be verifiable are the checksums
themselves, and that could easily be hosted on a centralized https
server
Am Sonntag, 23. Januar 2011, um 20:52:44 schrieb AK:
Regarding the MD5 sum example and certain released PoCs: producing two
random files with identical MD5 sums is one thing, introducing a
meaningful backdoor (which means deterministic change) or ten in a
Debian iso and generating an iso file
12 matches
Mail list logo
