On Sat, May 7, 2022 at 3:27 PM Marc Espie <es...@nerim.net> wrote: > > On Fri, May 06, 2022 at 08:13:42AM -0000, Stuart Henderson wrote: > > On 2022-05-06, Theo Buehler <t...@theobuehler.org> wrote: > > > While we could readily make libssl fall back to the legacy stack if > > > SSL_OP_NO_TICKET is disabled, I don't think this optimization outweighs > > > the overall benefit of TLSv1.3 - better protocol, cleaner code. > > > > Especially when the major beneficiary of this is pkg_add when it > > searches for updates; the number of connections has been *hugely* > > reduced with the caching added recently. > > I haven't enforced it, but https for pkg_add makes zero sense > anyway: you don't gain any confidentiality, and the integrity of > the package is ensured by the signatures. > > Note that https for base release makes little sense as well, apart > from the initial installs. Updates will also rely on signatures, > so all you gain from https is... exercising tls, and noticing > connections are slower. > > (also: authentication is slow for old time architectures). > > I'm still wondering what's the point of https for all this. >
But but but we will be secure. All the internet says so. http is so 1990. /sarcasm