Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates
On Mon, Mar 26, 2018 at 9:39 PM, Rhonda D'Vine wrote:
> * Martin Monperrus:
>> Would it make sense to keep track of valid https support for the
>> secondary mirrors?
> Actually the issue still holds: The mirror team needs to repoint
> mirrors to other servers at times and thus the certificate there
> wouldn't include those redirected mirrors.
The mirror team don't control the DNS for secondary mirrors. The
individual mirror admins could be doing that, but it seems unlikely to
> I am aware that there is a privacy concern involved, like what packages
> get downloaded, but appart from that that's the only knowledge to gain
> from unencrypted http traffic.
https doesn't provide protection against correlation of download size
to packages downloaded, so it doesn't have much advantage over http
for package download privacy.