Important APT security update - please read the instructions to upgrade APT safely

@debian Ouch. I wondered why Debian wasn't using HTTPS. Any plans to do so now, in the light of this vulnerability?

@wizzwizz4 Debian already supports https. But TLS certificates depends on CAs, and most on them aren't trustworthy. Unless you use DANE/HPKP, don't expect https to *prevent* MITM attacks.


@devnull Fair point. However, loads of CAs are trusted by default for _everything else_, and it's better to pile on extra layers so an attacker will need to break _all_ of them.

@wizzwizz4 That's a huge problem. CAs shouldn't be trusted, because they don't give a crap about security. They're only for profit.

More software need to support DANE, more admins need to learn how to configure DANE and HPKP properly.


1. Let's Encrypt.
2. It helps to prevent attackers from easily utilising a vulnerability in one layer of mitigation.

Yeah, it's not perfect. But yes, it's better than nothing. HTTPS + DANE is better than HTTPS + CAs, but HTTPS + DANE + CAs is even better. And @debian doesn't have DANE yet, anyway!

@wizzwizz4 Lits encrypt won't prevent CAs from doing harm for profit.

No, HTTPS + DANE + CA doesn't isn't better than.HTTP + DANE. CAs add nothing and have the ability to forge rogue certificates, unless HPKP (1) is used. And DANE can make self-signed certificate trusted without third parties.

The real problem is that clients doesn't support DANE natively, Firefox user to support it via an addon. And most servers' admins don't use it

1. Some clients dont support HPKP.



@devnull Ok, CAs don't make a DANE system stronger, but they do make a system with clients that don't support DANE stronger.

However, we're not talking about a system that doesn't support DANE. We're talking about a case where @debian controls the protocols that both ends speak. The code can be made to do nearly anything!

@wizzwizz4 Debian already supports https for apt. So HTTPS support is not an issue. But it would be better if both apt and debian repos use DANE with self-signed certificate mode and/or HPKP. If I recall correctly, support already DANE. I can't test anymore since Firefox 57 broke the compatibility with DNSEC/TSLA Validator plugin.

(And GPG signing is better that HTTPS, especially if HTTPS were used to "protect" non-signed packages)


@devnull @debian It would be better still if GPG over HTTPS + DANE was the default.

Sign in to participate in the conversation

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.