[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: http:// or https://. Does it matter?

On Sun 15 Aug 2021 at 20:24:54 +0100, Brian Potkin wrote:

> On Sun 15 Aug 2021 at 20:40:36 +0200, Bruno Zuber wrote:
> 
> > It seems to be "http" by default (at least it's ony my newly installed
> > system). I've switched to https and everything still works. 
> 
> Works for me too. But that wasn't what I was puzzled about.
> 
> > "https" prevents someone from tempering with the users connection (e.g.
> > man in the middle attack). However as the packages are singed anyway so
> > https is "just" an additonal level of security. But why not use it if
> > it comes without addtional "costs"?
> 
> Once it is said that all the packages are signed, everything has
> been said. A man in the middle attack would alter the signing. If
> it doesn't, packages from a regular archive would be at risk. But
> the installer uses http for the lines it puts in sources.list.
> 
> Why are the Release Notes out of step? Are its authors more aware
> of security?

doesn't -> does
Reply to: