On Sat, Apr 15, 2023 at 12:18:57PM -0400, Dan Ritter wrote:
> paulf@quillandmouse.com wrote:
> >
> > Okay. Let's open this can of worms. The ONLY reason https is used on
> > most sites is because Google *mandated* it years ago. ("Mandate" means
> > we'll downgrade your search ranking if you don't use https.) There is
> > otherwise no earthly reason to have an encrypted connection to a web
> > server unless there is some exchange of private information between you
> > and the server.
>
> ... and because Let's Encrypt made it relatively easy,
> monetarily free, and automated.
Google Chrome being one of their sponsors.
Now don't get me wrong: there are many things to like about TLS in
general and about Let's Encrypt in particular. And another sponsor
of Let's Encrypt is the EFF, whose motives, to me at least, are
beyond reproach. But it's a mixed bag, and that "unencrypted is
BAAAD" meme is just security theater.
> > "insecure". Though, in truth, the integrity of Debian server contents
> > wouldn't be changed in the slightest whether the connection was
> > encrypted or not.
>
>
> It's nice not to be telling everyone who can sniff a plaintext
> connection which packages you are installing,
Without doubt, this is an advantage of a TLS connection. If you
do care about that, here would be one reason.
> and prevents those
> people from trivially substituting trojan horses.
...and this is downright wrong. The Debian packages are signed.
If you got your first install from a trusted source, this is
way more secure than TLS [1]. TLS doesn't hurt here, but it
doesn't help much, either.
[1] Have you ever had a look at the incredible zoo of root certs
your browser trusts?
Cheers
--
t
Attachment:
signature.asc
Description: PGP signature