On Sat, Apr 15, 2023 at 07:21:17PM +0100, Alain D D Williams wrote:
> On Sat, Apr 15, 2023 at 11:00:52AM -0400, paulf@quillandmouse.com wrote:
>
> > Okay. Let's open this can of worms. The ONLY reason https is used on
> > most sites is because Google *mandated* it years ago. ("Mandate" means
> > we'll downgrade your search ranking if you don't use https.) There is
> > otherwise no earthly reason to have an encrypted connection to a web
> > server unless there is some exchange of private information between you
> > and the server.
>
> Where I live (England) I do not care if "the authorities" see what I have
> installed on my machine. If I lived in a totalitarian state†† there are some
> packages that might raise my profile on some "radar".
I am sad to have to type such an obvious point, but the https
feature exists for everyone, not just you. It is great that you are
privileged enough to not feel like you are under threat from your
own government (whether you have accurately estimated that risk is
another conversation) but not everyone is so privileged.
You did not ask if the feature made sense *for you*, you just asked
about the feature. Even if you *had* asked if it made sense for you,
no one would be able to answer as only you can decide what your
threat model is.
What you have said above is almost literally, "I don't have anything
to hide therefore I don't need privacy", but you've said it in such
a way as to imply that no one needs this particular feature.
Disappointing.
Your literal question was if there was any reason NOT to change
every APT URL to https. The objective answer is that not all Debian
mirrors support https! It seems like your real question was more
like, "is there any point to doing this" which you got a lot of
response to.
The hiding of the content of what is requested is a real feature
that some people want.
I haven't yet seen it mentioned in this thread but there are even
people who refute that argument. They say that an advanced attacker
in the middle will use traffic analysis and the publicly known sizes
of all Debian packages to easily work out which packages are
requested even without their names being visible.
Still, it not being in the clear makes this harder, and some people
want that.
By the way, in terms of malware distribution it is easier to
compromise a real Debian developer and get them to upload the bad
package in an entirely proper way. THis has already happened at
least once, though not to a stable release AFAIK. Unlike tampering
of in-flight downloads which has never been reported.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Attachment:
signature.asc
Description: PGP signature