Re: http:// or https://. Does it matter?

To: Bruno Zuber <bruno@zuberonline.net>
Cc: debian-doc@lists.debian.org
Subject: Re: http:// or https://. Does it matter?
From: Brian Potkin <claremont102@gmail.com>
Date: Sun, 15 Aug 2021 20:24:54 +0100
Message-id: <[🔎] 15082021195711.60b2a032e7b8@desktop.copernicus.org.uk>
In-reply-to: <[🔎] a6dfd27a8236dfb7d373dabf19df13fc49404f91.camel@zuberonline.net>
References: <[🔎] 15082021162402.1f9832066716@desktop.copernicus.org.uk> <[🔎] a6dfd27a8236dfb7d373dabf19df13fc49404f91.camel@zuberonline.net>

On Sun 15 Aug 2021 at 20:40:36 +0200, Bruno Zuber wrote:

> It seems to be "http" by default (at least it's ony my newly installed
> system). I've switched to https and everything still works. 

Works for me too. But that wasn't what I was puzzled about.

> "https" prevents someone from tempering with the users connection (e.g.
> man in the middle attack). However as the packages are singed anyway so
> https is "just" an additonal level of security. But why not use it if
> it comes without addtional "costs"?

Once it is said that all the packages are signed, everything has
been said. A man in the middle attack would alter the signing. If
it doesn't, packages from a regular archive would be at risk. But
the installer uses http for the lines it puts in sources.list.

Why are the Release Notes out of step? Are its authors more aware
of security?

Cheers,

Brian.

Reply to:

Follow-Ups:
- Re: http:// or https://. Does it matter?
  - From: Brian Potkin <claremont102@gmail.com>

References:
- http:// or https://. Does it matter?
  - From: Brian Potkin <claremont102@gmail.com>
- Re: http:// or https://. Does it matter?
  - From: Bruno Zuber <bruno@zuberonline.net>

Prev by Date: Re: http:// or https://. Does it matter?
Next by Date: Re: http:// or https://. Does it matter?
Previous by thread: Re: http:// or https://. Does it matter?
Next by thread: Re: http:// or https://. Does it matter?
Index(es):
- Date
- Thread