[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#989082: Please, consider to use HTTPS by default

On Tue, May 25, 2021 at 04:23:41PM +0200, Manolo Díaz wrote:
> Package: popularity-contest
> Version: 1.71
> Severity: wishlist
> X-Debbugs-Cc: debian@pleione.es
> 
> Dear Maintainer,
> 
> It seems that the site popcon.debian.org is HTTPS capable. Please
> consider changing the SUBMITURLS variable inside the file default.conf
> for use it by default.
> Also, when https is used, does gpg add any privacy enhancement?

Hello Manolo

The server does not support https submission, https submissions
are redirected to plain http.

This is a feature: older systems reporting to popcon have a too old TLS
library that is not compatible with modern https server.

Also in the context of popcon, https has a major flaw in that
it uses a certificate to identify the server, and identifying
valid certificates is difficult.

On the other hand GPG encryption with a static public key is much
simpler and safer.

It is easy for the server use a keyring with all the private decryption
keys that correspond to the public encryption keys, even if it was last
used 10 years ago.

On the other hand it is not realistic for a https server to offer a
10-year old certificate becuase this is what older systems are
expecting.

Cheers,
-- 
Bill. <ballombe@debian.org>

Imagine a large red swirl here.
Reply to: