On 15 October 2016 at 19:03, Paul Tagliamonte <paul...@debian.org> wrote: > > So, the real question: > > So, when are we going to push this? If not now, what criteria need to be > met? Why can't we https-ify the default CDN mirror today? >
It is my understanding that in 2016 there is a huge difference between the following sniffed traffic information: a) TLS traffic from a server to archive.debian.org host b) HTTP traffic from a server to archive.debain.org/debian-security/dists/lenny Since the latter reveals that the system is likely to be susceptible to every single CVE since Lenny end of life. I believe the TLS overhead costs are negligible, especially if one uses ECC keys. The further privacy it buys one, is IMHO, well worth the effort. I would be in favor of Debian mirrors to auto-enroll into letsencrypt certs. -- Regards, Dimitri.
