On Thu, 2015-09-03 at 19:05 +0200, tom wrote:
> Hi,
>
> I have discovered that non of the repository links is https:// . Is it
> not safer to use only https:// connections.
>
> And as well the download of a debian distro is only http:// .
>
> Sorry to say that but nearly all other distros used for the downlaod
> link https:// . But as repository links they all used only http://
> connections like debian.
It is not necessary to use HTTP-S for authentication of packages:
http://catless.ncl.ac.uk/Risks/28.58.html#subj13.1
If you need to avoid revealing which packages you are downloading, HTTP
-S doesn't do that because it is still possible to observe the length
of each response. In that case you should perhaps use Tor:
http://www.richardhartmann.de/blog/posts/2015/08/25-Tor-enabled_Debian_mirror_part_2/
Ben.
--
Ben Hutchings
Everything should be made as simple as possible, but not simpler.
- Albert Einstein
Attachment:
signature.asc
Description: This is a digitally signed message part