XPost: linux.debian.bugs.dist
Package: www.debian.org
Severity: normal
Tags: patch
I'm attaching the original wml file + patches to change http to https.
I wanted to rename them version 1.5 /1.6 etc but didn't want to put an
extra dot. Do let me know what's good practice as this is just my
second patch submitted.
On Thu, 24 Aug 2017 21:28:00 +0100 Phil <
philipw@riseup.net> wrote:
Hi Hanno,
Thank you very much for bringing this to our attention.
I'll submit a patch shortly for approval to get this amended.
Please do let us know if you spot anything else!
Phil
On Thu, 24 Aug 2017 19:53:59 +0200 Hanno =?UTF-8?B?QsO2Y2s=?= <hanno@
hb
oeck.de> wrote:
Package: www.debian.org
When downloading a Debian CD there's a webpage explaining how to
verify
signatures:
https://www.debian.org/CD/verify
This recommends to check the signatures with the keys from the
Debian
GPG keyring. However that link is HTTP, pointing to: http://keyring.debian.org/
It will immediately redirect to HTTPS, but an attacker could
intercept
that redirection and present a user with a malicious keyring
instead.
This makes the verification kinda pointless, as the keyring is
delivered over a potentially insecure channel. The lack of HSTS on debian.org makes this particularly worriesome. Please change that
link
to HTTPS.
--
Phil
--
Phil I3VzZSB3bWw6OmRlYmlhbjo6Y2RpbWFnZSB0aXRsZT0iVmVyaWZ5aW5nIGF1dGhlbnRpY2l0eSBv ZiBEZWJpYW4gQ0RzIiBCQVJFVElUTEU9dHJ1ZQoKPHA+Ck9mZmljaWFsIHJlbGVhc2VzIG9mIERl YmlhbiBDRHMgY29tZSB3aXRoIHNpZ25lZCBjaGVja3N1bSBmaWxlczsKbG9vayBmb3IgdGhlbSBh bG9uZ3NpZGUgdGhlIGltYWdlcyBpbiB0aGUgPGNvZGU+aXNvLWNkPC9jb2RlPiwKPGNvZGU+amln ZG8tZHZkPC9jb2RlPiwgPGNvZGU+aXNvLWh5YnJpZDwvY29kZT4gZXRjLiBkaXJlY3Rvcmllcy4K VGhlc2UgYWxsb3cgeW91IHRvIGNoZWNrIHRoYXQgdGhlIGltYWdlcyB5b3UgZG93bmxvYWQgYXJl IGNvcnJlY3QuCkZpcnN0IG9mIGFsbCwgdGhlIGNoZWNrc3VtIGNhbiBiZSB1c2VkIHRvIGNoZWNr IHRoYXQgdGhlIENEcyBoYXZlIG5vdApiZWVuIGNvcnJ1cHRlZCBkdXJpbmcgZG93bmxvYWQuClNl Y29uZGx5LCB0aGUgc2lnbmF0dXJlcyBvbiB0aGUgY2hlY2tzdW0gZmlsZXMgYWxsb3cgeW91IHRv IGNvbmZpcm0KdGhhdCB0aGUgZmlsZXMgYXJlIHRoZSBvbmVzIG9mZmljaWFsbHkgcmVsZWFzZWQg YnkgdGhlIERlYmlhbiBDRCAvCkRlYmlhbiBMaXZlIHRlYW0gYW5kIGhhdmUgbm90IGJlZW4gdGFt cGVyZWQgd2l0aC4KPC9wPgoKPHA+ClRvIHZhbGlkYXRlIHRoZSBjb250ZW50cyBvZiBhIENEIGlt YWdlLCBqdXN0IGJlIHN1cmUgdG8gdXNlIHRoZQphcHByb3ByaWF0ZSBjaGVja3N1bSB0b29sLgpD cnlwdG9ncmFwaGljYWxseSBzdHJvbmcgY2hlY2tzdW0KYWxnb3JpdGhtcyAoU0hBMjU2IGFuZCBT SEE1MTIpIGFyZSBhdmFpbGFibGUgZm9yIGV2ZXJ5IHJlbGVhc2VzOyB5b3Ugc2hvdWxkIHVzZSB0 aGUgdG9vbHMKPGNvZGU+c2hhMjU2c3VtPC9jb2RlPiBvciA8Y29kZT5zaGE1MTJzdW08L2NvZGU+ IHRvIHdvcmsgd2l0aCB0aGVzZS4KPC9wPgoKPHA+ClRvIGVuc3VyZSB0aGF0IHRoZSBjaGVja3N1 bXMgZmlsZXMgdGhlbXNlbHZlcyBhcmUgY29ycmVjdCwgdXNlIEdudVBHIHRvCnZlcmlmeSB0aGVt IGFnYWluc3QgdGhlIGFjY29tcGFueWluZyBzaWduYXR1cmUgZmlsZXMgKGUuZy4KPGNvZGU+U0hB NTEyU1VNUy5zaWduPC9jb2RlPikuClRoZSBrZXlzIHVzZWQgZm9yIHRoZXNlIHNpZ25hdHVyZXMg YXJlIGFsbCBpbiB0aGUgPGEKaHJlZj0iaHR0cHM6Ly9rZXlyaW5nLmRlYmlhbi5vcmciPkRlYmlh biBHUEcga2V5cmluZzwvYT4gYW5kIHRoZSBiZXN0CndheSB0byBjaGVjayB0aGVtIGlzIHRvIHVz ZSB0aGF0IGtleXJpbmcgdG8gdmFsaWRhdGUgdmlhIHRoZSB3ZWIgb2YKdHJ1c3QuClRvIG1ha2Ug bGlmZSBlYXNpZXIgZm9yIHVzZXJzLCBoZXJlIGFyZSB0aGUgZmluZ2VycHJpbnRzIGZvciB0aGUg a2V5cwp0aGF0IGhhdmUgYmVlbiB1c2VkIGZvciByZWxlYXNlcyBpbiByZWNlbnQgeWVhcnM6Cjwv cD4KCiNpbmNsdWRlICIkKEVOR0xJU0hESVIpL0NEL0NELWtleXMuZGF0YSIK
LS0tIHZlcmlmeV92MTUud21sCTIwMTctMDgtMjQgMjE6Mjk6NTYuMDY4NzMyMDk1ICswMTAwCisr KyB2ZXJpZnlfdjE2LndtbAkyMDE3LTA4LTI0IDIxOjMxOjI2LjU0MDM5MTczOCArMDEwMApAQCAt MjUsNyArMjUsNyBAQAogdmVyaWZ5IHRoZW0gYWdhaW5zdCB0aGUgYWNjb21wYW55aW5nIHNpZ25h dHVyZSBmaWxlcyAoZS5nLgogPGNvZGU+U0hBNTEyU1VNUy5zaWduPC9jb2RlPikuCiBUaGUga2V5 cyB1c2VkIGZvciB0aGVzZSBzaWduYXR1cmVzIGFyZSBhbGwgaW4gdGhlIDxhCi1ocmVmPSJodHRw Oi8va2V5cmluZy5kZWJpYW4ub3JnIj5EZWJpYW4gR1BHIGtleXJpbmc8L2E+IGFuZCB0aGUgYmVz dAoraHJlZj0iaHR0cHM6Ly9rZXlyaW5nLmRlYmlhbi5vcmciPkRlYmlhbiBHUEcga2V5cmluZzwv YT4gYW5kIHRoZSBiZXN0CiB3YXkgdG8gY2hlY2sgdGhlbSBpcyB0byB1c2UgdGhhdCBrZXlyaW5n IHRvIHZhbGlkYXRlIHZpYSB0aGUgd2ViIG9mCiB0cnVzdC4KIFRvIG1ha2UgbGlmZSBlYXNpZXIg Zm9yIHVzZXJzLCBoZXJlIGFyZSB0aGUgZmluZ2VycHJpbnRzIGZvciB0aGUga2V5cwo=
I3VzZSB3bWw6OmRlYmlhbjo6Y2RpbWFnZSB0aXRsZT0iVmVyaWZ5aW5nIGF1dGhlbnRpY2l0eSBv ZiBEZWJpYW4gQ0RzIiBCQVJFVElUTEU9dHJ1ZQoKPHA+Ck9mZmljaWFsIHJlbGVhc2VzIG9mIERl YmlhbiBDRHMgY29tZSB3aXRoIHNpZ25lZCBjaGVja3N1bSBmaWxlczsKbG9vayBmb3IgdGhlbSBh bG9uZ3NpZGUgdGhlIGltYWdlcyBpbiB0aGUgPGNvZGU+aXNvLWNkPC9jb2RlPiwKPGNvZGU+amln ZG8tZHZkPC9jb2RlPiwgPGNvZGU+aXNvLWh5YnJpZDwvY29kZT4gZXRjLiBkaXJlY3Rvcmllcy4K VGhlc2UgYWxsb3cgeW91IHRvIGNoZWNrIHRoYXQgdGhlIGltYWdlcyB5b3UgZG93bmxvYWQgYXJl IGNvcnJlY3QuCkZpcnN0IG9mIGFsbCwgdGhlIGNoZWNrc3VtIGNhbiBiZSB1c2VkIHRvIGNoZWNr IHRoYXQgdGhlIENEcyBoYXZlIG5vdApiZWVuIGNvcnJ1cHRlZCBkdXJpbmcgZG93bmxvYWQuClNl Y29uZGx5LCB0aGUgc2lnbmF0dXJlcyBvbiB0aGUgY2hlY2tzdW0gZmlsZXMgYWxsb3cgeW91IHRv IGNvbmZpcm0KdGhhdCB0aGUgZmlsZXMgYXJlIHRoZSBvbmVzIG9mZmljaWFsbHkgcmVsZWFzZWQg YnkgdGhlIERlYmlhbiBDRCAvCkRlYmlhbiBMaXZlIHRlYW0gYW5kIGhhdmUgbm90IGJlZW4gdGFt cGVyZWQgd2l0aC4KPC9wPgoKPHA+ClRvIHZhbGlkYXRlIHRoZSBjb250ZW50cyBvZiBhIENEIGlt YWdlLCBqdXN0IGJlIHN1cmUgdG8gdXNlIHRoZQphcHByb3ByaWF0ZSBjaGVja3N1bSB0b29sLgpD cnlwdG9ncmFwaGljYWxseSBzdHJvbmcgY2hlY2tzdW0KYWxnb3JpdGhtcyAoU0hBMjU2IGFuZCBT SEE1MTIpIGFyZSBhdmFpbGFibGUgZm9yIGV2ZXJ5IHJlbGVhc2VzOyB5b3Ugc2hvdWxkIHVzZSB0 aGUgdG9vbHMKPGNvZGU+c2hhMjU2c3VtPC9jb2RlPiBvciA8Y29kZT5zaGE1MTJzdW08L2NvZGU+ IHRvIHdvcmsgd2l0aCB0aGVzZS4KPC9wPgoKPHA+ClRvIGVuc3VyZSB0aGF0IHRoZSBjaGVja3N1 bXMgZmlsZXMgdGhlbXNlbHZlcyBhcmUgY29ycmVjdCwgdXNlIEdudVBHIHRvCnZlcmlmeSB0aGVt IGFnYWluc3QgdGhlIGFjY29tcGFueWluZyBzaWduYXR1cmUgZmlsZXMgKGUuZy4KPGNvZGU+U0hB NTEyU1VNUy5zaWduPC9jb2RlPikuClRoZSBrZXlzIHVzZWQgZm9yIHRoZXNlIHNpZ25hdHVyZXMg YXJlIGFsbCBpbiB0aGUgPGEKaHJlZj0iaHR0cDovL2tleXJpbmcuZGViaWFuLm9yZyI+RGViaWFu IEdQRyBrZXlyaW5nPC9hPiBhbmQgdGhlIGJlc3QKd2F5IHRvIGNoZWNrIHRoZW0gaXMgdG8gdXNl IHRoYXQga2V5cmluZyB0byB2YWxpZGF0ZSB2aWEgdGhlIHdlYiBvZgp0cnVzdC4KVG8gbWFrZSBs aWZlIGVhc2llciBmb3IgdXNlcnMsIGhlcmUgYXJlIHRoZSBmaW5nZXJwcmludHMgZm9yIHRoZSBr ZXlzCnRoYXQgaGF2ZSBiZWVuIHVzZWQgZm9yIHJlbGVhc2VzIGluIHJlY2VudCB5ZWFyczoKPC9w PgoKI2luY2x1ZGUgIiQoRU5HTElTSERJUikvQ0QvQ0Qta2V5cy5kYXRhIgo=
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)