Unfortunately, this 1-byte change -- while a good idea -- is ineffective on its own, because emacs does not verify TLS connections by default... and in fact the gnutls configuration in Debian's emacs is somehow so broken that it doesn't check certificates *even if* certificate checking is enabled :-(. See #816063.
Really the default url for elpa should be switched to use https AND cert checking should be enabled by default AND it should be configured in such a way that it actually works. -- Nathaniel J. Smith -- https://vorpus.org
