FS#28771 - {archweb} secure sites related to package signing / keys

Attached to Project: Arch Linux
Opened by Christian Hesse (eworm) - Sunday, 04 March 2012, 13:54 GMT
Last edited by Dan McGee (toofishes) - Sunday, 21 October 2012, 15:59 GMT
Task Type Feature Request
Category Web Sites
Status Closed
Assigned To Dan McGee (toofishes)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No

Details

Verifying keys before trusting them is required for security. At the moment some Arch web sites are accessible unencrypted, which opens door for man in the middle attacks and the like. I think these sites should redirect to https by default, this way modifications one the way from the server to the client should be found easily by complaining clients.

Sites affected (possibly more):
Signing Master Keys <http://www.archlinux.org/master-keys/>
Arch Linux Developers <http://www.archlinux.org/developers/>
Arch Linux Trusted Users <http://www.archlinux.org/trustedusers/>
This task depends upon

Closed by  Dan McGee (toofishes)
Sunday, 21 October 2012, 15:59 GMT
Reason for closing:  Implemented
Additional comments about closing:  Main site is now HTTPS only.
Comment by Dan McGee (toofishes) - Sunday, 04 March 2012, 20:08 GMT
s/http/https/ if you're paranoid. It is all available on a secure connection too.
Comment by Christian Hesse (eworm) - Monday, 05 March 2012, 09:15 GMT
Package signing is all about being paranoid, isn't it? ;)

Ok, seriously. Even if you check from different sources, a single network node running netsed could fake all fingerprints from all sources. Only an encrypted connection would prevent this case.

I know i can switch to https and did. But only those who are aware of this risk will do. As it's easily implementable, why not just do it?

Loading...