Leonid Isaev <lisaev@xxxxxxxxxxxx> on Sun, 4 Mar 2012 10:32:45 -0600: > On Sun, 4 Mar 2012 14:56:43 +0100 > Christian Hesse <list@xxxxxxxx> wrote: > > > Ionut Biru <ibiru@xxxxxxxxxxxxx> on Sun, 04 Mar 2012 12:57:53 +0200: > > > On 03/04/2012 12:22 PM, Christian Hesse wrote: > > > > I think it makes sense to not allow pages related to package signing > > > > being delivered via http. Instead automatically redirect to https to > > > > avoid man in the middle attacks. First site that comes to my mind: > > > > https://www.archlinux.org/master-keys/ > > > > > > open a feature request and tag it with {archweb} > > > > Done. Thanks! > > https://bugs.archlinux.org/task/28771 > > The strong point of the signing thingy is users' ability to verify keys > using multiple independent sources, such as devs' personal websites, > keyservers, etc. Relying on archlinux.org solely would be a mistake, imho. > Do I really trust in integrity of archlinux.org infrastructure? Not really, > but I don't have to. > > Having said that, just use https:// directly or install a browser plugin > (e.g. https finder). Sure you should check multiple independent sources. But if all of them are unencrypted by default it would be fairly easy to use netsed or similar tools on a single network node to replace all key fingerprints by faked ones. Only those users that are aware of this risk will use https://. -- Best regards, Chris O< ascii ribbon campaign stop html mail - www.asciiribbon.org
