On 15 October 2016 at 19:03, Paul Tagliamonte <paul...@debian.org> wrote:
> So, the real question:
> So, when are we going to push this? If not now, what criteria need to be
> met? Why can't we https-ify the default CDN mirror today?
It is my understanding that in 2016 there is a huge difference between
the following sniffed traffic information:
a) TLS traffic from a server to archive.debian.org host
b) HTTP traffic from a server to archive.debain.org/debian-security/dists/lenny
Since the latter reveals that the system is likely to be susceptible
to every single CVE since Lenny end of life.
I believe the TLS overhead costs are negligible, especially if one
uses ECC keys. The further privacy it buys one, is IMHO, well worth
the effort. I would be in favor of Debian mirrors to auto-enroll into