On Sun, 2014-07-13 at 15:19:22 -0700, Steve Langasek wrote: > On Sun, Jul 13, 2014 at 10:13:10PM +0200, Martin Zobel-Helas wrote: > > Furthermore, we will change the people.debian.org web-service such that > > only HTTPS connections will be supported (unencrypted requests will be > > redirected). > > […] If http > connections are still allowed, this doesn't provide any protection from a > MITM attack for most users; and the contents of people.d.o are not generally > security sensitive.
HSTS protects mostly from MITM (except for first connection), but I'm not sure if DSA is planning to add it. Thanks, Guillem -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140713230911.ga30...@gaara.hadrons.org
