Differences between revisions 39 and 40
Revision 39 as of 2021-03-27 20:01:17
Size: 4028
Editor: ?bauen1
Comment: httpredir.debian.org supports https
Revision 40 as of 2021-03-28 10:52:55
Size: 4022
Editor: PaulWise
Comment: httpredir is dead, the domain is transitional
Deletions are marked like this. Additions are marked like this.
Line 11: Line 11:
 * httpredir.debian.org supports https  * deb.debian.org supports https


  • Debian websites use SSL certs verifiable by most existing OSes
  • Some mirrors have https enabled and use SSL certs verifiable by most existing OSes
  • Most suites have Valid-Until, preventing indefinite downgrade attacks
  • SSL CA and DNSSEC/TLSA/DANE trust paths to Debian SSL certs
  • SSL connection to the Debian DNSSEC keys

  • Official mirror run by DSA on the Tor network (announcement, followup), unofficial ones run by Debian members too

  • netboot.tar.gz are verifiable via the OpenPGP-signed Release files
  • win32-loader is verifiable via the OpenPGP-signed files called extrafiles

  • deb.debian.org supports https


  • No OpenPGP trust paths (ie Monkeysphere) to Debian or mirror SSL certs
  • No OpenPGP trust paths to Debian DNSSEC keys
  • Not available in browser certificate pinning (HPKP)
  • Mirror updates are not authenticated in any way
  • Most clients contacting mirrors reveal package names and version numbers
  • Most mirrors probably have default apache2 logging (recording packages, versions, IPs etc)
  • Mirrors list does not contain any info about https support
  • Security update notices are via email
  • No suggestions to or documentation about how to verify signatures
  • No downloads that use the subresource integrity for downloads standard.

  • No magnet: links for bittorrent downloads on SSL
  • No magnet: links for bittorrent downloads on OpenPGP-signed email
  • No publishing of hashes of various things in Bitcoin/etc blockchains
  • win32-loader is not Windows-code-signed
  • win32-loader is not available in the Microsoft Windows Store
  • no Debian installer is not available in the Apple Store or other popular stores
  • ISO images server and mirrors have the same issues as repository mirrors
  • Front page of Debian website links to an ISO image but no signature
  • Verifying the ISO images is a convoluted process
  • Torrent files for the ISO images are not able to be verified
  • BitErrant attacks on BitTorrent via SHA-1 collisions

  • No ISO hashes available over HTTPS
  • More prominent OpenPGP fingerprints for ISOs
  • Preinstalled systems are not able to be verified
  • Image downloader/writer programs that verify signatures and hashes
  • di-netboot-assistant does not verify things 775904

  • snapshot.debian.org validation requires turning off Valid-Until, using expired signatures and old keys, idea for a fix in 763419

  • Possible apt sources.list improvements

  • all .deb packages are ultimately trusted by the system

  • SHA-1 is used in various places in Debian and by tools we use

  • Not all Debian services are on Tor onion services

  • Debian doesn't yet support binary transparency services (like Cothority

  • buildds do not verify source packages against developer keyrings

  • User-oriented checklist

  • More

See also