On Tue, Mar 15, 2016 at 10:26:54AM +0900, Charles Plessy wrote: > With the worldwide effort of using HTTPS everywhere, I wonder if > apt-transport-https shouldn't be installed by default anyway on systems with > network connectivity, that is, its priority should be Important. What do > people think about this ? Would it make sense to raise the question on > debian-devel ? What does it buy you exactly? Debian repositories already do package signing, so we know things haven't been tampered with. Probably any significant number of machines installed somewhere will have a caching proxy for updates, largely mitigating privacy concerns as well. The HTTPS Everywhere extension makes perfect sense, because web pages are not signed, browsers are generally uniquely identifiable and anyone can inject malicious JavaScript into your page, intercept your private details, etc. However I would have expected Debian repositories are about the least important thing to have run over HTTPS.
Attachment:
signature.asc
Description: Digital signature