Forum: >>> Magnum BBS <<<

Bug#873122: HTTP Link to Keyring

From Hanno =?UTF-8?Q?B=C3=B6ck?=@21:1/5 to All on Thu Aug 24 21:10:02 2017

XPost: linux.debian.bugs.dist

Package: www.debian.org

When downloading a Debian CD there's a webpage explaining how to verify signatures:
https://www.debian.org/CD/verify

This recommends to check the signatures with the keys from the Debian
GPG keyring. However that link is HTTP, pointing to:
http://keyring.debian.org/

It will immediately redirect to HTTPS, but an attacker could intercept
that redirection and present a user with a malicious keyring instead.

This makes the verification kinda pointless, as the keyring is
delivered over a potentially insecure channel. The lack of HSTS on
debian.org makes this particularly worriesome. Please change that link
to HTTPS.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Phil@21:1/5 to oeck.de on Thu Aug 24 23:40:02 2017

XPost: linux.debian.bugs.dist

Hi Hanno,

Thank you very much for bringing this to our attention.

I'll submit a patch shortly for approval to get this amended.

Please do let us know if you spot anything else!

Phil

On Thu, 24 Aug 2017 19:53:59 +0200 Hanno =?UTF-8?B?QsO2Y2s=?= <hanno@hb oeck.de> wrote:

Package: www.debian.org

When downloading a Debian CD there's a webpage explaining how to

verify

signatures:
https://www.debian.org/CD/verify

This recommends to check the signatures with the keys from the Debian
GPG keyring. However that link is HTTP, pointing to: http://keyring.debian.org/

It will immediately redirect to HTTPS, but an attacker could

intercept

that redirection and present a user with a malicious keyring instead.

This makes the verification kinda pointless, as the keyring is
delivered over a potentially insecure channel. The lack of HSTS on
debian.org makes this particularly worriesome. Please change that

link

to HTTPS.

--
Phil

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Phil@21:1/5 to All on Thu Aug 24 23:50:02 2017

XPost: linux.debian.bugs.dist

Note that this will also need to be applied for all the translated
pages as well. Please let me know if there's anything I can do to speed
the process up.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Phil@21:1/5 to philipw@riseup.net on Thu Aug 24 23:40:02 2017

XPost: linux.debian.bugs.dist

Package: www.debian.org
Severity: normal
Tags: patch

I'm attaching the original wml file + patches to change http to https.

I wanted to rename them version 1.5 /1.6 etc but didn't want to put an
extra dot. Do let me know what's good practice as this is just my
second patch submitted.

On Thu, 24 Aug 2017 21:28:00 +0100 Phil <philipw@riseup.net> wrote:

Hi Hanno,

Thank you very much for bringing this to our attention.

I'll submit a patch shortly for approval to get this amended.

Please do let us know if you spot anything else!

Phil

On Thu, 24 Aug 2017 19:53:59 +0200 Hanno =?UTF-8?B?QsO2Y2s=?= <hanno@

hb

oeck.de> wrote:

Package: www.debian.org

When downloading a Debian CD there's a webpage explaining how to

verify

signatures:
https://www.debian.org/CD/verify

This recommends to check the signatures with the keys from the

Debian

GPG keyring. However that link is HTTP, pointing to: http://keyring.debian.org/

It will immediately redirect to HTTPS, but an attacker could

intercept

that redirection and present a user with a malicious keyring

instead.

This makes the verification kinda pointless, as the keyring is
delivered over a potentially insecure channel. The lack of HSTS on debian.org makes this particularly worriesome. Please change that

link

to HTTPS.

--
Phil

--
Phil I3VzZSB3bWw6OmRlYmlhbjo6Y2RpbWFnZSB0aXRsZT0iVmVyaWZ5aW5nIGF1dGhlbnRpY2l0eSBv ZiBEZWJpYW4gQ0RzIiBCQVJFVElUTEU9dHJ1ZQoKPHA+Ck9mZmljaWFsIHJlbGVhc2VzIG9mIERl YmlhbiBDRHMgY29tZSB3aXRoIHNpZ25lZCBjaGVja3N1bSBmaWxlczsKbG9vayBmb3IgdGhlbSBh bG9uZ3NpZGUgdGhlIGltYWdlcyBpbiB0aGUgPGNvZGU+aXNvLWNkPC9jb2RlPiwKPGNvZGU+amln ZG8tZHZkPC9jb2RlPiwgPGNvZGU+aXNvLWh5YnJpZDwvY29kZT4gZXRjLiBkaXJlY3Rvcmllcy4K VGhlc2UgYWxsb3cgeW91IHRvIGNoZWNrIHRoYXQgdGhlIGltYWdlcyB5b3UgZG93bmxvYWQgYXJl IGNvcnJlY3QuCkZpcnN0IG9mIGFsbCwgdGhlIGNoZWNrc3VtIGNhbiBiZSB1c2VkIHRvIGNoZWNr IHRoYXQgdGhlIENEcyBoYXZlIG5vdApiZWVuIGNvcnJ1cHRlZCBkdXJpbmcgZG93bmxvYWQuClNl Y29uZGx5LCB0aGUgc2lnbmF0dXJlcyBvbiB0aGUgY2hlY2tzdW0gZmlsZXMgYWxsb3cgeW91IHRv IGNvbmZpcm0KdGhhdCB0aGUgZmlsZXMgYXJlIHRoZSBvbmVzIG9mZmljaWFsbHkgcmVsZWFzZWQg YnkgdGhlIERlYmlhbiBDRCAvCkRlYmlhbiBMaXZlIHRlYW0gYW5kIGhhdmUgbm90IGJlZW4gdGFt cGVyZWQgd2l0aC4KPC9wPgoKPHA+ClRvIHZhbGlkYXRlIHRoZSBjb250ZW50cyBvZiBhIENEIGlt YWdlLCBqdXN0IGJlIHN1cmUgdG8gdXNlIHRoZQphcHByb3ByaWF0ZSBjaGVja3N1bSB0b29sLgpD cnlwdG9ncmFwaGljYWxseSBzdHJvbmcgY2hlY2tzdW0KYWxnb3JpdGhtcyAoU0hBMjU2IGFuZCBT SEE1MTIpIGFyZSBhdmFpbGFibGUgZm9yIGV2ZXJ5IHJlbGVhc2VzOyB5b3Ugc2hvdWxkIHVzZSB0 aGUgdG9vbHMKPGNvZGU+c2hhMjU2c3VtPC9jb2RlPiBvciA8Y29kZT5zaGE1MTJzdW08L2NvZGU+ IHRvIHdvcmsgd2l0aCB0aGVzZS4KPC9wPgoKPHA+ClRvIGVuc3VyZSB0aGF0IHRoZSBjaGVja3N1 bXMgZmlsZXMgdGhlbXNlbHZlcyBhcmUgY29ycmVjdCwgdXNlIEdudVBHIHRvCnZlcmlmeSB0aGVt IGFnYWluc3QgdGhlIGFjY29tcGFueWluZyBzaWduYXR1cmUgZmlsZXMgKGUuZy4KPGNvZGU+U0hB NTEyU1VNUy5zaWduPC9jb2RlPikuClRoZSBrZXlzIHVzZWQgZm9yIHRoZXNlIHNpZ25hdHVyZXMg YXJlIGFsbCBpbiB0aGUgPGEKaHJlZj0iaHR0cHM6Ly9rZXlyaW5nLmRlYmlhbi5vcmciPkRlYmlh biBHUEcga2V5cmluZzwvYT4gYW5kIHRoZSBiZXN0CndheSB0byBjaGVjayB0aGVtIGlzIHRvIHVz ZSB0aGF0IGtleXJpbmcgdG8gdmFsaWRhdGUgdmlhIHRoZSB3ZWIgb2YKdHJ1c3QuClRvIG1ha2Ug bGlmZSBlYXNpZXIgZm9yIHVzZXJzLCBoZXJlIGFyZSB0aGUgZmluZ2VycHJpbnRzIGZvciB0aGUg a2V5cwp0aGF0IGhhdmUgYmVlbiB1c2VkIGZvciByZWxlYXNlcyBpbiByZWNlbnQgeWVhcnM6Cjwv cD4KCiNpbmNsdWRlICIkKEVOR0xJU0hESVIpL0NEL0NELWtleXMuZGF0YSIK

LS0tIHZlcmlmeV92MTUud21sCTIwMTctMDgtMjQgMjE6Mjk6NTYuMDY4NzMyMDk1ICswMTAwCisr KyB2ZXJpZnlfdjE2LndtbAkyMDE3LTA4LTI0IDIxOjMxOjI2LjU0MDM5MTczOCArMDEwMApAQCAt MjUsNyArMjUsNyBAQAogdmVyaWZ5IHRoZW0gYWdhaW5zdCB0aGUgYWNjb21wYW55aW5nIHNpZ25h dHVyZSBmaWxlcyAoZS5nLgogPGNvZGU+U0hBNTEyU1VNUy5zaWduPC9jb2RlPikuCiBUaGUga2V5 cyB1c2VkIGZvciB0aGVzZSBzaWduYXR1cmVzIGFyZSBhbGwgaW4gdGhlIDxhCi1ocmVmPSJodHRw Oi8va2V5cmluZy5kZWJpYW4ub3JnIj5EZWJpYW4gR1BHIGtleXJpbmc8L2E+IGFuZCB0aGUgYmVz dAoraHJlZj0iaHR0cHM6Ly9rZXlyaW5nLmRlYmlhbi5vcmciPkRlYmlhbiBHUEcga2V5cmluZzwv YT4gYW5kIHRoZSBiZXN0CiB3YXkgdG8gY2hlY2sgdGhlbSBpcyB0byB1c2UgdGhhdCBrZXlyaW5n IHRvIHZhbGlkYXRlIHZpYSB0aGUgd2ViIG9mCiB0cnVzdC4KIFRvIG1ha2UgbGlmZSBlYXNpZXIg Zm9yIHVzZXJzLCBoZXJlIGFyZSB0aGUgZmluZ2VycHJpbnRzIGZvciB0aGUga2V5cwo=

I3VzZSB3bWw6OmRlYmlhbjo6Y2RpbWFnZSB0aXRsZT0iVmVyaWZ5aW5nIGF1dGhlbnRpY2l0eSBv ZiBEZWJpYW4gQ0RzIiBCQVJFVElUTEU9dHJ1ZQoKPHA+Ck9mZmljaWFsIHJlbGVhc2VzIG9mIERl YmlhbiBDRHMgY29tZSB3aXRoIHNpZ25lZCBjaGVja3N1bSBmaWxlczsKbG9vayBmb3IgdGhlbSBh bG9uZ3NpZGUgdGhlIGltYWdlcyBpbiB0aGUgPGNvZGU+aXNvLWNkPC9jb2RlPiwKPGNvZGU+amln ZG8tZHZkPC9jb2RlPiwgPGNvZGU+aXNvLWh5YnJpZDwvY29kZT4gZXRjLiBkaXJlY3Rvcmllcy4K VGhlc2UgYWxsb3cgeW91IHRvIGNoZWNrIHRoYXQgdGhlIGltYWdlcyB5b3UgZG93bmxvYWQgYXJl IGNvcnJlY3QuCkZpcnN0IG9mIGFsbCwgdGhlIGNoZWNrc3VtIGNhbiBiZSB1c2VkIHRvIGNoZWNr IHRoYXQgdGhlIENEcyBoYXZlIG5vdApiZWVuIGNvcnJ1cHRlZCBkdXJpbmcgZG93bmxvYWQuClNl Y29uZGx5LCB0aGUgc2lnbmF0dXJlcyBvbiB0aGUgY2hlY2tzdW0gZmlsZXMgYWxsb3cgeW91IHRv IGNvbmZpcm0KdGhhdCB0aGUgZmlsZXMgYXJlIHRoZSBvbmVzIG9mZmljaWFsbHkgcmVsZWFzZWQg YnkgdGhlIERlYmlhbiBDRCAvCkRlYmlhbiBMaXZlIHRlYW0gYW5kIGhhdmUgbm90IGJlZW4gdGFt cGVyZWQgd2l0aC4KPC9wPgoKPHA+ClRvIHZhbGlkYXRlIHRoZSBjb250ZW50cyBvZiBhIENEIGlt YWdlLCBqdXN0IGJlIHN1cmUgdG8gdXNlIHRoZQphcHByb3ByaWF0ZSBjaGVja3N1bSB0b29sLgpD cnlwdG9ncmFwaGljYWxseSBzdHJvbmcgY2hlY2tzdW0KYWxnb3JpdGhtcyAoU0hBMjU2IGFuZCBT SEE1MTIpIGFyZSBhdmFpbGFibGUgZm9yIGV2ZXJ5IHJlbGVhc2VzOyB5b3Ugc2hvdWxkIHVzZSB0 aGUgdG9vbHMKPGNvZGU+c2hhMjU2c3VtPC9jb2RlPiBvciA8Y29kZT5zaGE1MTJzdW08L2NvZGU+ IHRvIHdvcmsgd2l0aCB0aGVzZS4KPC9wPgoKPHA+ClRvIGVuc3VyZSB0aGF0IHRoZSBjaGVja3N1 bXMgZmlsZXMgdGhlbXNlbHZlcyBhcmUgY29ycmVjdCwgdXNlIEdudVBHIHRvCnZlcmlmeSB0aGVt IGFnYWluc3QgdGhlIGFjY29tcGFueWluZyBzaWduYXR1cmUgZmlsZXMgKGUuZy4KPGNvZGU+U0hB NTEyU1VNUy5zaWduPC9jb2RlPikuClRoZSBrZXlzIHVzZWQgZm9yIHRoZXNlIHNpZ25hdHVyZXMg YXJlIGFsbCBpbiB0aGUgPGEKaHJlZj0iaHR0cDovL2tleXJpbmcuZGViaWFuLm9yZyI+RGViaWFu IEdQRyBrZXlyaW5nPC9hPiBhbmQgdGhlIGJlc3QKd2F5IHRvIGNoZWNrIHRoZW0gaXMgdG8gdXNl IHRoYXQga2V5cmluZyB0byB2YWxpZGF0ZSB2aWEgdGhlIHdlYiBvZgp0cnVzdC4KVG8gbWFrZSBs aWZlIGVhc2llciBmb3IgdXNlcnMsIGhlcmUgYXJlIHRoZSBmaW5nZXJwcmludHMgZm9yIHRoZSBr ZXlzCnRoYXQgaGF2ZSBiZWVuIHVzZWQgZm9yIHJlbGVhc2VzIGluIHJlY2VudCB5ZWFyczoKPC9w PgoKI2luY2x1ZGUgIiQoRU5HTElTSERJUikvQ0QvQ0Qta2V5cy5kYXRhIgo=

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Who's Online
Recent Visitors
- Jasonrx8
  Wed Apr 17 13:08:27 2024
  from Sydney Nsw via SSH
- Bob Worm
  Wed Apr 17 10:35:26 2024
  from Wales, Uk via Telnet
- Bob Worm
  Wed Apr 17 08:38:18 2024
  from Wales, Uk via Raw
- Bob Worm
  Thu Apr 18 13:24:26 2024
  from Wales, Uk via Telnet

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	292
Nodes:	16 (2 / 14)
Uptime:	200:07:50
Calls:	6,617
Calls today:	1
Files:	12,168
Messages:	5,316,118

Bug#873122: HTTP Link to Keyring

Who's Online

Recent Visitors

System Info