Important APT security update - please read the instructions to upgrade APT safely https://www.debian.org/security/2019/dsa-4371
@debian Ouch. I wondered why Debian wasn't using HTTPS. Any plans to do so now, in the light of this vulnerability?
@wizzwizz4 Debian already supports https. But TLS certificates depends on CAs, and most on them aren't trustworthy. Unless you use DANE/HPKP, don't expect https to *prevent* MITM attacks.
@devnull Fair point. However, loads of CAs are trusted by default for _everything else_, and it's better to pile on extra layers so an attacker will need to break _all_ of them.
@wizzwizz4 That's a huge problem. CAs shouldn't be trusted, because they don't give a crap about security. They're only for profit.
More software need to support DANE, more admins need to learn how to configure DANE and HPKP properly.
1. Let's Encrypt.
2. It helps to prevent attackers from easily utilising a vulnerability in one layer of mitigation.
Yeah, it's not perfect. But yes, it's better than nothing. HTTPS + DANE is better than HTTPS + CAs, but HTTPS + DANE + CAs is even better. And @debian doesn't have DANE yet, anyway!
@devnull Ok, CAs don't make a DANE system stronger, but they do make a system with clients that don't support DANE stronger.
However, we're not talking about a system that doesn't support DANE. We're talking about a case where @debian controls the protocols that both ends speak. The code can be made to do nearly anything!
@wizzwizz4 Debian already supports https for apt. So HTTPS support is not an issue. But it would be better if both apt and debian repos use DANE with self-signed certificate mode and/or HPKP. If I recall correctly, https://debian.org support already DANE. I can't test anymore since Firefox 57 broke the compatibility with DNSEC/TSLA Validator plugin.
(And GPG signing is better that HTTPS, especially if HTTPS were used to "protect" non-signed packages)
Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.