[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian mirrors and MITM

In Oct 2013 a similar discussion startet

On 30. Mai 2014 14:15:01 MESZ, Alfie John <alfiej@fastmail.fm> wrote:
>Hi guys,
>Taking a look at the Debian mirror list, I see none serving over HTTPS:
>  https://www.debian.org/mirror/list
>The public Debian mirrors seem like an obvious target for governments
>MITM. I know that the MD5s are also published, but unless you're
>verifying them with third parties, what's stopping the MD5s being
>compromised too?
>Is there any compelling reason why the public Debian mirrors aren't
>served over HTTPS? If there isn't any, then further to this, is there
>any reason why not to mandate all public Debian mirrors HTTPS-only?

Reply to: