On Sat, Apr 15, 2023 at 07:21:17PM +0100, Alain D D Williams wrote: > On Sat, Apr 15, 2023 at 11:00:52AM -0400, pa...@quillandmouse.com wrote: > > > Okay. Let's open this can of worms. The ONLY reason https is used on > > most sites is because Google *mandated* it years ago. ("Mandate" means > > we'll downgrade your search ranking if you don't use https.) There is > > otherwise no earthly reason to have an encrypted connection to a web > > server unless there is some exchange of private information between you > > and the server. > > Where I live (England) I do not care if "the authorities" see what I have > installed on my machine. If I lived in a totalitarian state†† there are some > packages that might raise my profile on some "radar".
I am sad to have to type such an obvious point, but the https feature exists for everyone, not just you. It is great that you are privileged enough to not feel like you are under threat from your own government (whether you have accurately estimated that risk is another conversation) but not everyone is so privileged. You did not ask if the feature made sense *for you*, you just asked about the feature. Even if you *had* asked if it made sense for you, no one would be able to answer as only you can decide what your threat model is. What you have said above is almost literally, "I don't have anything to hide therefore I don't need privacy", but you've said it in such a way as to imply that no one needs this particular feature. Disappointing. Your literal question was if there was any reason NOT to change every APT URL to https. The objective answer is that not all Debian mirrors support https! It seems like your real question was more like, "is there any point to doing this" which you got a lot of response to. The hiding of the content of what is requested is a real feature that some people want. I haven't yet seen it mentioned in this thread but there are even people who refute that argument. They say that an advanced attacker in the middle will use traffic analysis and the publicly known sizes of all Debian packages to easily work out which packages are requested even without their names being visible. Still, it not being in the clear makes this harder, and some people want that. By the way, in terms of malware distribution it is easier to compromise a real Debian developer and get them to upload the bad package in an entirely proper way. THis has already happened at least once, though not to a stable release AFAIK. Unlike tampering of in-flight downloads which has never been reported. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting
signature.asc
Description: PGP signature