[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates

On Mon, Mar 26, 2018 at 9:39 PM, Rhonda D'Vine wrote:
> * Martin Monperrus:
>> Would it make sense to keep track of valid https support for the
>> secondary mirrors?
>  Actually the issue still holds: The mirror team needs to repoint
> mirrors to other servers at times and thus the certificate there
> wouldn't include those redirected mirrors.

The mirror team don't control the DNS for secondary mirrors. The
individual mirror admins could be doing that, but it seems unlikely to

> I am aware that there is a privacy concern involved, like what packages
> get downloaded, but appart from that that's the only knowledge to gain
> from unencrypted http traffic.

https doesn't provide protection against correlation of download size
to packages downloaded, so it doesn't have much advantage over http
for package download privacy.



Reply to: