Solved
- Debian websites use SSL certs verifiable by most existing OSes
- Some mirrors have https enabled and use SSL certs verifiable by most existing OSes
- Most suites have Valid-Until, preventing indefinite downgrade attacks
- SSL CA and DNSSEC/DANE trust paths to Debian SSL certs
Issues
- No alternate trust paths (ie Monkeysphere) to Debian or mirror SSL certs
- No alternate trust paths to Debian DNSSEC keys
- Not available in browser certificate pinning (HPKP)
- Mirror updates are not authenticated in any way
- Most clients contacting mirrors reveal package names and version numbers
- Most mirrors probably have default apache2 logging (recording packages, versions, IPs etc)
- Mirrors list does not contain any info about https support
- http.debian.net does not currently support https but can easily be made to
- No mirrors that are Tor hidden services
- No suggestions to or documentation about how to verify signatures
No downloads that use the subresource integrity for downloads standard.
- No magnet: links for bittorrent downloads on SSL
- No publishing of hashes of various things in Bitcoin/etc blockchains
- win32-loader is not Windows-code-signed nor OpenPGP-signed
- ISO images server and mirrors have the same issues as repository mirrors
- Front page of Debian website links to an ISO image but no signature
- Verifying the ISO images is a convoluted process
- Torrent files for the ISO images are not able to be verified
- Preinstalled systems are not able to be verified
- netboot.tar.gz are not able to be verified (and the tarball is also unpacked on the mirror, that should stop)
snapshot.debian.org validation requires turning off Valid-Until, using expired signatures and old keys, idea for a fix in 763419