Important APT security update - please read the instructions to upgrade APT safely debian.org/security/2019/dsa-4

@debian Ouch. I wondered why Debian wasn't using HTTPS. Any plans to do so now, in the light of this vulnerability?

@wizzwizz4 Debian already supports https. But TLS certificates depends on CAs, and most on them aren't trustworthy. Unless you use DANE/HPKP, don't expect https to *prevent* MITM attacks.

packages.debian.org/en/stretch

@debian

@devnull Fair point. However, loads of CAs are trusted by default for _everything else_, and it's better to pile on extra layers so an attacker will need to break _all_ of them.

@wizzwizz4 That's a huge problem. CAs shouldn't be trusted, because they don't give a crap about security. They're only for profit.

More software need to support DANE, more admins need to learn how to configure DANE and HPKP properly.

@devnull

1. Let's Encrypt.
2. It helps to prevent attackers from easily utilising a vulnerability in one layer of mitigation.

Yeah, it's not perfect. But yes, it's better than nothing. HTTPS + DANE is better than HTTPS + CAs, but HTTPS + DANE + CAs is even better. And @debian doesn't have DANE yet, anyway!

@wizzwizz4 Lits encrypt won't prevent CAs from doing harm for profit.

No, HTTPS + DANE + CA doesn't isn't better than.HTTP + DANE. CAs add nothing and have the ability to forge rogue certificates, unless HPKP (1) is used. And DANE can make self-signed certificate trusted without third parties.

The real problem is that clients doesn't support DANE natively, Firefox user to support it via an addon. And most servers' admins don't use it

1. Some clients dont support HPKP.

@debian

Follow

@wizzwizz4 CAs don't certify that websites are trustworthy, or that admins are who they claim to be. CAs aren't a criteria to decide whether we should trust a server or not. Trust level should never depend on whether a server uses a self-signed certificate or a CA-signed ones.

All CAs do is to make all certificates they sign trusted by clients that trust the signing CA. That doesn't mean they add extra security to HTTPS.

@debian

@devnull CAs are simply a method for sites to authenticate themselves – and a weak method at that. You're right in saying that CAs offer no advantage when DANE is around.

Sign in to participate in the conversation
La Quadrature du Net - Mastodon - Media Fédéré

Bienvenue dans le media fédéré de la Quadrature du Net association de défense des libertés. Les inscriptions sont ouvertes et libres.
Tout compte créé ici pourra a priori discuter avec l'ensemble des autres instances de Mastodon de la fédération, et sera visible sur les autres instances.
Nous maintiendrons cette instance sur le long terme.