apt-listbugs uses an unencrypted connection to communicate with the > BTS, > leaking information about installed packages and versions.
You shouldn't expect that much more security by just switching to TLS. Unfortunately Debian nowadays uses certificates issued by an externals CA (Gandi) which itself is just an intermediate CA to USERTrust. So everyone in that hierarchy could issue a forged certificate used for selective MitM attacks. And that already assumes that apt-listbugs would only trust the USERTrust or Gandi cert. Past has shown often enough that these commercial CAs are highly untrustworthy and/or in some cases plain incompetent Best wishes, Chris.
smime.p7s
Description: S/MIME cryptographic signature