By default, the data is cryptographically verified. An admin has to specifically turn off that feature.
There's little benefits of using HTTPS in this specific setting and it's just an extra requirement on our volunteer mirrors. It will add time, CPU load, and even a small amount of bandwidth increase. All to achieve nothing. >From a security analysis, this is public data so it's a very low risk with no data toxicity. I just don't see the benefit. As a security expert, I also make sure to focus my time where it's best utilized. So I am recommending that you and I can spend our time elsewhere as well as our mirror volunteers :-) -KAM On Thu, Apr 28, 2022, 07:36 Henrik K <h...@hege.li> wrote: > On Thu, Apr 28, 2022 at 07:26:41AM -0400, Kevin A. McGrail wrote: > > We discussed this a year or two ago. The data on there is not sensitive > and > > is cryptographically verified by spamassassin before being used. Can you > > name a single reason the data needs to be encrypted in transit? KAM > > It's only verified if the user chooses to do so, is not downloading stuff > manually or whatever. Regardless, can YOU name a single reason why > transmitted data should not be encrypted in the year 2022, as it's trivial > to do so? Strange debate from a security expert. > >