Debian mirrors and MITM
Hi guys,
Taking a look at the Debian mirror list, I see none serving over HTTPS:
https://www.debian.org/mirror/list
The public Debian mirrors seem like an obvious target for governments to
MITM. I know that the MD5s are also published, but unless you're
verifying them with third parties, what's stopping the MD5s being
compromised too?
Is there any compelling reason why the public Debian mirrors aren't
served over HTTPS? If there isn't any, then further to this, is there
any reason why not to mandate all public Debian mirrors HTTPS-only?
Alfie
--
Alfie John
alfiej@fastmail.fm
Reply to: