[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Q: Use https for {deb,security}.debian.org by default



On Sat, Aug 21, 2021 at 10:28:04AM +0200, Wouter Verhelst wrote:
> On Thu, Aug 19, 2021 at 10:11:33PM +0000, Jeremy Stanley wrote:
> > On 2021-08-19 16:37:13 -0400 (-0400), Kyle Edwards wrote:
> > > On 8/19/21 3:46 PM, Simon Richter wrote:
> > > > For the most part, users would configure https if they are behind a
> > > > corporate firewall that disallows http, or modifies data in-flight so
> > > > signature verification fails, everyone else is better off using plain
> > > > http.
> > > 
> > > Or they might configure https on the sheer principle of not wanting to have
> > > their traffic hoovered up by their ISP or anyone else who might be
> > > listening.
> > 
> > While this does complicate it, a snooping party can still know the
> > site they're connecting to via SNI happening unencrypted,
> 
> SNI is not unencrypted if you do TLS1.3...
> 
It is, though...  ECH (née ESNI)
https://datatracker.ietf.org/doc/draft-ietf-tls-esni/ is still WIP.

Cheers,
Julien


Reply to: