Philipp Kern <pk...@debian.org> writes: > Perfect is the enemy of good. Debian is already paying the protection > money at this point and TBH I don't understand the resistance to add > and promote the https:// variant of it. We can still switch to Let's > Encrypt once it is available.
I don't object to promoting https. I do think we should be careful about what claims we make about MITM protection, since I believe https without certificate pinning does not provide real MITM protection. It does, however, raise the bar against casual eavesdropping if you're already having to pay the CA cartel for other reasons, and that's worthwhile. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87617bjbxw....@hope.eyrie.org
