Bug#989082: Please, consider to use HTTPS by default
> On Tue, May 25, 2021 at 04:23:41PM +0200, Manolo Díaz wrote:
> > Package: popularity-contest
> > Version: 1.71
> > Severity: wishlist
> > X-Debbugs-Cc: debian@pleione.es
> >
> > Dear Maintainer,
> >
> > It seems that the site popcon.debian.org is HTTPS capable. Please
> > consider changing the SUBMITURLS variable inside the file default.conf
> > for use it by default.
> > Also, when https is used, does gpg add any privacy enhancement?
>
> Hello Manolo
>
> The server does not support https submission, https submissions
> are redirected to plain http.
>
> This is a feature: older systems reporting to popcon have a too old TLS
> library that is not compatible with modern https server.
>
> Also in the context of popcon, https has a major flaw in that
> it uses a certificate to identify the server, and identifying
> valid certificates is difficult.
>
> On the other hand GPG encryption with a static public key is much
> simpler and safer.
>
> It is easy for the server use a keyring with all the private decryption
> keys that correspond to the public encryption keys, even if it was last
> used 10 years ago.
>
> On the other hand it is not realistic for a https server to offer a
> 10-year old certificate becuase this is what older systems are
> expecting.
>
> Cheers,
Hello Bill,
Thank you very much for the very detailed explanation.
Best Regards,
--
Manolo Díaz
Reply to: