On Wed, Dec 9, 2015 at 12:22 PM, Nick Holland <[email protected]> wrote: > HAHAHHAHAHA... > you think adding a certificate changes this? > https is a joke.
"Some people implement HTTPS poorly sometimes, so we shouldn't try." The amount of effort "wasted" on Let's Encrypting the OpenBSD website is so small compared to the immediate benefits that we would gain by doing so. Nothing is perfect, and no approach is enough to be called "security" on its own. Defense in depth calls for doing what we can to provide multiple layers of security. In the case of www.openbsd.org, using HTTPS isn't so much about privacy as it is about integrity. Yes, signify(1) is a thing, but using HTTPS in addition to it would make release and package downloads more difficult to tamper with.
