Hi Hanno, Thank you very much for bringing this to our attention.
I'll submit a patch shortly for approval to get this amended. Please do let us know if you spot anything else! Phil On Thu, 24 Aug 2017 19:53:59 +0200 Hanno =?UTF-8?B?QsO2Y2s=?= <hanno@hb oeck.de> wrote: > Package: www.debian.org > > When downloading a Debian CD there's a webpage explaining how to verify > signatures: > https://www.debian.org/CD/verify > > This recommends to check the signatures with the keys from the Debian > GPG keyring. However that link is HTTP, pointing to: > http://keyring.debian.org/ > > It will immediately redirect to HTTPS, but an attacker could intercept > that redirection and present a user with a malicious keyring instead. > > This makes the verification kinda pointless, as the keyring is > delivered over a potentially insecure channel. The lack of HSTS on > debian.org makes this particularly worriesome. Please change that link > to HTTPS. > > -- Phil
