Bug#893980: www.debian.org: Many mirrors have no or untrusted HTTPS certificates
* Paul Wise <email@example.com> [2018-03-26 15:52:45 CEST]:
> On Mon, Mar 26, 2018 at 9:39 PM, Rhonda D'Vine wrote:
> > * Martin Monperrus:
> >> Would it make sense to keep track of valid https support for the
> >> secondary mirrors?
> > Actually the issue still holds: The mirror team needs to repoint
> > mirrors to other servers at times and thus the certificate there
> > wouldn't include those redirected mirrors.
> The mirror team don't control the DNS for secondary mirrors. The
> individual mirror admins could be doing that, but it seems unlikely to
Right, but DNS for the primary ones, and pointing them towards a server
that isn't under their control would mean that they'd have to carry a
*.debian.org wildcard certificate. Which won't happen for non-DSA
> > I am aware that there is a privacy concern involved, like what packages
> > get downloaded, but appart from that that's the only knowledge to gain
> > from unencrypted http traffic.
> https doesn't provide protection against correlation of download size
> to packages downloaded, so it doesn't have much advantage over http
> for package download privacy.
Ah, right, forgot about that point. So even that point is moot.
Thanks for pointing that out. :)
Fühlst du dich mutlos, fass endlich Mut, los |
Fühlst du dich hilflos, geh raus und hilf, los | Wir sind Helden
Fühlst du dich machtlos, geh raus und mach, los | 23.55: Alles auf Anfang
Fühlst du dich haltlos, such Halt und lass los |