On 05.03.2012 10:04, Christian Hesse wrote: > Leonid Isaev <lisaev@xxxxxxxxxxxx> on Sun, 4 Mar 2012 10:32:45 -0600: >> On Sun, 4 Mar 2012 14:56:43 +0100 >> Christian Hesse <list@xxxxxxxx> wrote: >> > Ionut Biru <ibiru@xxxxxxxxxxxxx> on Sun, 04 Mar 2012 12:57:53 +0200: >> > > On 03/04/2012 12:22 PM, Christian Hesse wrote: >> > > > I think it makes sense to not allow pages related to package signing >> > > > being delivered via http. Instead automatically redirect to https to >> > > > avoid man in the middle attacks. First site that comes to my mind: >> > > > https://www.archlinux.org/master-keys/ >> >> The strong point of the signing thingy is users' ability to verify keys >> using multiple independent sources, such as devs' personal websites, >> keyservers, etc. Relying on archlinux.org solely would be a mistake, imho. >> Do I really trust in integrity of archlinux.org infrastructure? Not really, >> but I don't have to. >> >> Having said that, just use https:// directly or install a browser plugin >> (e.g. https finder). > > Sure you should check multiple independent sources. But if all of them are > unencrypted by default it would be fairly easy to use netsed or similar tools > on a single network node to replace all key fingerprints by faked ones. > > Only those users that are aware of this risk will use https://. And those that aren't will just enter "archlinux.org" in the URL bar which defaults to http in most/all browsers. That means an attacker can simply remove the redirection, fetch the page over https himself, change it and relay that over the http connection. -- Florian Pritz
Attachment:
signature.asc
Description: OpenPGP digital signature
