[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Repository Link are NOT https://



On Thu, 2015-09-03 at 19:05 +0200, tom wrote:
> Hi,
> 
> I have discovered that non of the repository links is https:// . Is it
> not safer to use only https:// connections.
> 
> And as well the download of a debian distro is only http:// .
> 
> Sorry to say that but nearly all other distros used for the downlaod
> link https:// . But as repository links they all used only http://
> connections like debian.

It is not necessary to use HTTP-S for authentication of packages:
    http://catless.ncl.ac.uk/Risks/28.58.html#subj13.1

If you need to avoid revealing which packages you are downloading, HTTP
-S doesn't do that because it is still possible to observe the length
of each response.  In that case you should perhaps use Tor:
    http://www.richardhartmann.de/blog/posts/2015/08/25-Tor-enabled_Debian_mirror_part_2/

Ben.

-- 
Ben Hutchings
Everything should be made as simple as possible, but not simpler.
                                                           - Albert Einstein

Attachment: signature.asc
Description: This is a digitally signed message part


Reply to: