Bug#989082: Please, consider to use HTTPS by default
On Tue, May 25, 2021 at 05:14:41PM +0200, Manolo Díaz wrote:
>
> > On Tue, May 25, 2021 at 04:23:41PM +0200, Manolo Díaz wrote:
> > > Package: popularity-contest
> > > Version: 1.71
> > > Severity: wishlist
> > > X-Debbugs-Cc: debian@pleione.es
> > >
> > > Dear Maintainer,
> > >
> > > It seems that the site popcon.debian.org is HTTPS capable. Please
> > > consider changing the SUBMITURLS variable inside the file default.conf
> > > for use it by default.
> > > Also, when https is used, does gpg add any privacy enhancement?
> >
> > Hello Manolo
> >
> > The server does not support https submission, https submissions
> > are redirected to plain http.
> >
> > This is a feature: older systems reporting to popcon have a too old TLS
> > library that is not compatible with modern https server.
> >
> > Also in the context of popcon, https has a major flaw in that
> > it uses a certificate to identify the server, and identifying
> > valid certificates is difficult.
> >
> > On the other hand GPG encryption with a static public key is much
> > simpler and safer.
> >
> > It is easy for the server use a keyring with all the private decryption
> > keys that correspond to the public encryption keys, even if it was last
> > used 10 years ago.
> >
> > On the other hand it is not realistic for a https server to offer a
> > 10-year old certificate becuase this is what older systems are
> > expecting.
> >
> > Cheers,
>
>
> Hello Bill,
>
> Thank you very much for the very detailed explanation.
Thanks, I will add it to the FAQ.
Cheers,
Bill.
Reply to: