[arch-general] secure package signing related websites

Christian Hesse list at eworm.de
Mon Mar 5 04:04:55 EST 2012


Leonid Isaev <lisaev at umail.iu.edu> on Sun, 4 Mar 2012 10:32:45 -0600:
> On Sun, 4 Mar 2012 14:56:43 +0100
> Christian Hesse <list at eworm.de> wrote:
> 
> > Ionut Biru <ibiru at archlinux.org> on Sun, 04 Mar 2012 12:57:53 +0200:
> > > On 03/04/2012 12:22 PM, Christian Hesse wrote:
> > > > I think it makes sense to not allow pages related to package signing
> > > > being delivered via http. Instead automatically redirect to https to
> > > > avoid man in the middle attacks. First site that comes to my mind:
> > > > https://www.archlinux.org/master-keys/
> > > 
> > > open a feature request and tag it with {archweb}
> > 
> > Done. Thanks!
> > https://bugs.archlinux.org/task/28771
> 
> The strong point of the signing thingy is users' ability to verify keys
> using multiple independent sources, such as devs' personal websites,
> keyservers, etc. Relying on archlinux.org solely would be a mistake, imho.
> Do I really trust in integrity of archlinux.org infrastructure? Not really,
> but I don't have to.
> 
> Having said that, just use https:// directly or install a browser plugin
> (e.g. https finder). 

Sure you should check multiple independent sources. But if all of them are
unencrypted by default it would be fairly easy to use netsed or similar tools
on a single network node to replace all key fingerprints by faked ones.

Only those users that are aware of this risk will use https://.
-- 
Best regards,
Chris
                         O< ascii ribbon campaign
                   stop html mail - www.asciiribbon.org


More information about the arch-general mailing list