Re: Q: Use https for {deb,security}.debian.org by default

[Wouter Verhelst <wouter@debian.org>]

On Thu, Aug 19, 2021 at 10:11:33PM +0000, Jeremy Stanley wrote:
> On 2021-08-19 16:37:13 -0400 (-0400), Kyle Edwards wrote:
> > On 8/19/21 3:46 PM, Simon Richter wrote:
> > > For the most part, users would configure https if they are behind a
> > > corporate firewall that disallows http, or modifies data in-flight so
> > > signature verification fails, everyone else is better off using plain
> > > http.
> > 
> > Or they might configure https on the sheer principle of not wanting to have
> > their traffic hoovered up by their ISP or anyone else who might be
> > listening.
> 
> While this does complicate it, a snooping party can still know the
> site they're connecting to via SNI happening unencrypted,

SNI is not unencrypted if you do TLS1.3...

-- 
     w@uter.{be,co.za}
wouter@{grep.be,fosdem.org,debian.org}