Solved
- Debian websites use SSL certs verifiable by most existing OSes
- Some mirrors have https enabled and use SSL certs verifiable by most existing OSes
- Most suites have Valid-Until, preventing indefinite downgrade attacks
- SSL CA and DNSSEC/DANE trust paths to Debian SSL certs
Official mirror run by DSA on the Tor network (announcement, followup), unofficial ones run by Debian members too
Issues
- No alternate trust paths (ie Monkeysphere) to Debian or mirror SSL certs (dns TLSA records provide an alternate trust path)
No alternate trust paths to Debian DNSSEC keys (https://anonscm.debian.org/cgit/mirror/dsa-puppet.git/tree/modules/unbound/files/debian.org.key)
- Not available in browser certificate pinning (HPKP)
- Mirror updates are not authenticated in any way
- Most clients contacting mirrors reveal package names and version numbers
- Most mirrors probably have default apache2 logging (recording packages, versions, IPs etc)
- Mirrors list does not contain any info about https support
- httpredir.debian.org does not currently support https but can easily be made to
- Security update notices are via email
- No suggestions to or documentation about how to verify signatures
No downloads that use the subresource integrity for downloads standard.
- No magnet: links for bittorrent downloads on SSL
- No magnet: links for bittorrent downloads on OpenPGP-signed email
- No publishing of hashes of various things in Bitcoin/etc blockchains
- win32-loader is not Windows-code-signed nor OpenPGP-signed
- ISO images server and mirrors have the same issues as repository mirrors
- Front page of Debian website links to an ISO image but no signature
- Verifying the ISO images is a convoluted process
- Torrent files for the ISO images are not able to be verified
- No ISO hashes available over HTTPS
- More prominent OpenPGP fingerprints for ISOs
- Preinstalled systems are not able to be verified
- netboot.tar.gz are not able to be verified (and the tarball is also unpacked on the mirror, that should stop)
- Image downloader/writer programs that verify signatures and hashes
di-netboot-assistant does not verify things 775904
snapshot.debian.org validation requires turning off Valid-Until, using expired signatures and old keys, idea for a fix in 763419
SHA-1 is used in various places in Debian and by tools we use