In follow-up to: https://lists.debian.org/debian-devel/2016/10/msg00592.html
As an update here: the default recommendation in the Debian release notes now
recommends[1] HTTPS instead of HTTPS by default.
Despite the validity of many of the theoretical concerns about APT over HTTP,
I reckon that there are a few (maybe unusual) reasons that could be argued in
favour of plain HTTP:
* It allows other devices on the local network segment to inspect the
content that other nodes are sending and receiving. When you pay for a
drink or meal at a bar, typical etiquette is _not_ to place the banknotes
inside a sealed envelope (TLS) during the handover. In other words:
integrity can increase as the number of potential viewers increases. (I
seem to remember reading a similar phrase about the depth of bugs in code)
In that kind of scenario, an integrity token is provided inline as part of
message (EURion constellation or similar).
* In the context of machine learning -- where data gathered can be used to
inform and train other processes -- some individuals and organizations may
in fact _want_ to share their workflows with all, as opposed to with only
one other, potentially culturally-distant, entity.
* As another thread participant mentioned, if you don't trust a global
passive adversary, then it may be sensible to question whether you can
trust their certificate issuers (I admit that your HPKP comments partially
address this concern). If you don't trust either, you might choose to save
some CPU cycles (both for yourself and those who may be gathering your
data).
Reflections have been published[2] about progress and change as it has occurred
over the past decade or so. As someone who definitely tends paranoid, despite
some of the reassurances written there, I don't fully trust that the migration
from "your traffic was mostly snoopable in transit" to "your traffic is mostly
encrypted (but to endpoints that we could lean on)" is a true shift for most
affected parties, other than creating some new social dynamics and reallocating
equipment and personnel.
Perhaps that's all an unusual perspective, and/or can be refuted with public
information - I certainly don't have any private information to prove it.
I like privacy, and I think I've been more of an advocate for software privacy
than against (in fact, some of the arguments I've developed in this message
are relatively new to me). But I do begin to wonder whether the required
overheads for it -- especially given the limitations of the practical, human
systems that operate them -- really benefit the everyday person, or instead
only a (questionably trustworthy) few who want privacy for nefarious reasons.
[1] -
https://www.debian.org/releases/testing/amd64/release-notes/ch-upgrading.en.html#network
[2] - https://www.ietf.org/archive/id/draft-farrell-tenyearsafter-00.html
