Important APT security update - please read the instructions to upgrade APT safely https://www.debian.org/security/2019/dsa-4371
@debian Ouch. I wondered why Debian wasn't using HTTPS. Any plans to do so now, in the light of this vulnerability?
@wizzwizz4 Debian already supports https. But TLS certificates depends on CAs, and most on them aren't trustworthy. Unless you use DANE/HPKP, don't expect https to *prevent* MITM attacks.
@devnull Fair point. However, loads of CAs are trusted by default for _everything else_, and it's better to pile on extra layers so an attacker will need to break _all_ of them.
@wizzwizz4 That's a huge problem. CAs shouldn't be trusted, because they don't give a crap about security. They're only for profit.
More software need to support DANE, more admins need to learn how to configure DANE and HPKP properly.
1. Let's Encrypt.
2. It helps to prevent attackers from easily utilising a vulnerability in one layer of mitigation.
Yeah, it's not perfect. But yes, it's better than nothing. HTTPS + DANE is better than HTTPS + CAs, but HTTPS + DANE + CAs is even better. And @debian doesn't have DANE yet, anyway!
@wizzwizz4 Lits encrypt won't prevent CAs from doing harm for profit.
No, HTTPS + DANE + CA doesn't isn't better than.HTTP + DANE. CAs add nothing and have the ability to forge rogue certificates, unless HPKP (1) is used. And DANE can make self-signed certificate trusted without third parties.
The real problem is that clients doesn't support DANE natively, Firefox user to support it via an addon. And most servers' admins don't use it
1. Some clients dont support HPKP.
@wizzwizz4 Debian already supports https for apt. So HTTPS support is not an issue. But it would be better if both apt and debian repos use DANE with self-signed certificate mode and/or HPKP. If I recall correctly, https://debian.org support already DANE. I can't test anymore since Firefox 57 broke the compatibility with DNSEC/TSLA Validator plugin.
(And GPG signing is better that HTTPS, especially if HTTPS were used to "protect" non-signed packages)
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!