On Fri, Jul 17, 2015 at 04:17:40 +0200, Christoph Anton Mitterer wrote: > apt-listbugs uses an unencrypted connection to communicate with the > > BTS, > > leaking information about installed packages and versions. > > You shouldn't expect that much more security by just switching to TLS. > > Unfortunately Debian nowadays uses certificates issued by an externals > CA (Gandi) which itself is just an intermediate CA to USERTrust. > So everyone in that hierarchy could issue a forged certificate used for > selective MitM attacks. > And that already assumes that apt-listbugs would only trust the > USERTrust or Gandi cert.
Right, but switching to https is a necessary step to allow other layers to implement proper security. I don't think apt-listbugs itself needs to do much more. There's a TLSA record on _443._tcp.bugs.debian.org; the TLS library should refuse to connect if that can't be validated, or if no DNSSEC records are seen for a domain that should be signed. (Presumably it would fall back to CA-based checking if the DNS resolver has no DNSSEC support, or the domain has chosen not to use it.) Even if using CAs, https would stop trivial MITM attacks. Random access points, ISP ad-servers, etc., are not likely to be using illegitimate certificates. It seems even the NSA will think twice: "Something that comes up again and again in the NSA documents is that they are amazingly risk-averse. ... The chance of being noticed by surveillance targets, or anyone else, weighs heavily on operational decisions." [https://www.schneier.com/news/archives/2014/03/glenn_greenwalds_enc.html#] -- Michael
signature.asc
Description: Digital signature
