On Thursday, February 16, 2017 1:46:56 PM CET Bruno Haible wrote: > Tim Ruehsen wrote: > > I updated the links in users.txt to HTTPS where possible (manually > > checked). For outdated links I tried to find the current valid links. > > Thanks a lot! I've applied it in your name. The rationale, for me, is that > http and ftp are vulnerable to man-in-the-middle attacks [1]. > > Bruno > > [1] https://lists.gnu.org/archive/html/bug-gnulib/2017-01/msg00102.html
Thanks, and yes, MITM active and passive (reading content) attacks are my rationale as well. It is pretty bad, that many announcements[1] still point to our ftp and http sites. How many downloaders check the signatures manually ? 1% ? Am I the only maintainer using HTTPS (for wget announcements) ? I already thought about dropping the reference to http://ftpmirror.gnu.org/. There is no HTTPS pendant. [1] http://lists.gnu.org/archive/html/info-gnu/2017-02/index.html Regards, Tim
signature.asc
Description: This is a digitally signed message part.