GNU bug report logs - #39419
On the use of HTTPS for substitute server

Previous Next

Package: guix;

Reported by: Damien Cassou <damien <at> cassou.me>

Date: Tue, 4 Feb 2020 14:29:01 UTC

Severity: normal

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Damien Cassou <damien <at> cassou.me>
To: Leo Famulari <leo <at> famulari.name>, 39419 <at> debbugs.gnu.org
Subject: bug#39419: On the use of HTTPS for substitute server
Date: Wed, 05 Feb 2020 11:34:49 +0100

"Leo Famulari" <leo <at> famulari.name> writes:
> So, someone who could MITM as <https://ci.guix.gnu.org> could use their
> own X.509 certificate and pretend to be that server.

IIUC, you agree with me that an attacker can't change the content of
packages but can inspect what a user installs. This seems to contradict
this paragraph:

> HTTPS is recommended because communications are encrypted; conversely,
> using HTTP makes all communications visible to an eavesdropper, who
> could use the information gathered to determine, for instance, whether
> your system has unpatched security vulnerabilities.


If you believe the text is good as it is, please just ignore me and
close the ticket.

Thank you so much for Guix.

-- 
Damien Cassou

"Success is the ability to go from one failure to another without
losing enthusiasm." --Winston Churchill
This bug report was last modified 5 years and 105 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.