you are leaking a LOT of data in the user agent string. is that really necessary? passive CA tampering or even statistical CA tampering (eg. 1% chance forged at 3AM local time) could be used to fingerprint clients using that user agent string. it is FAR TOO VERBOSE.
but more importantly, there is no HPKP configured, which allows an adversary to taint the entropy pool. remember that nation states, including the Great Firewall of China, can easily intermediate the HTTPS CA certificate and forge a malicious entropy reply to the client. This could have disastrous consequences for clients. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1634346 Title: https://entropy.ubuntu.com lacks Perfect Forward Secrecy (PFS) and has certificate chain issues To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pollen/+bug/1634346/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
