Jeremy Stanley <fu...@yuggoth.org> writes: > I agree with all of the above, my point was that the current state of > HTTPS doesn't especially improve integrity for Debian package management > over the signed indices and checksums we already rely on, and trying to > use HTTPS for privacy/secrecy (which isn't really what it was designed > for) is still and perhaps even increasingly misguided. Of course lots of > people will continue to expect magic HTTPS fairy dust to protect them > and ward off evil, but the only legitimate reason I can see for Debian > changing the default protocol for sources.list entries is to avoid > having to pointlessly debate the minimal benefits of HTTPS with people > who drink whatever cool-aid they're told by security "experts" (HTTP > bad, HTTPS good, drink up!).
Do you think using HTTPS makes security worse? No idea whether I qualify as a "security expert" but as someone who has spent a fair amount of time working in security, my concern is making advice simple enough for people to follow. Complicated, conditional, or inconsistent advice means you lose people who decide this is all too hard to understand and just do nothing. "Use HTTPS everywhere that supports it" is simple and actionable advice for the average person that will make them more secure. There are applications and sites where HTTPS doesn't really help, but other than some unusual performance edge cases that are pretty rare in practice, it doesn't hurt. It's not magic fairy dust, but it does raise the bar against a set of attacks, provides some additional privacy against casual non-targeted snooping, and is a better default than not using TLS. Personally, I think we should switch our default to HTTPS not because we have a specific security flaw in mind against which HTTPS provides some protection but because it's consistent with the general message that a lot of us (including, for example, the EFF and the IETF) are trying to send to average users who don't have the expertise to analyze any of this: use TLS by default wherever you can. It's not a panacea, but ubiquitous, default use of TLS helps both your security and your privacy compared to either the previous default of no TLS or spending a bunch of mental energy picking and choosing. -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>
