Hi, On 20-08-2021 17:48, Russ Allbery wrote: > It sounds like we have a general consensus in this thread that, while > changing our default to HTTPS probably won't make anything more secure in > practice, we should still do it?
I was told and I relayed early in this thread [1] that https gives you some (delayed) protection against man-in-the-middle attacks serving you old data. Does everybody agree that this is either not prevented or not giving you more security or is an extremely unlikely security threat? Because when I thought about it, it did make sense, but I'm not somebody that thinks about security for a profession, nor do I claim to be any expert at all on the topic. I'm not saying that explaining this is worth more than the https-as-default-for-the-noob reasoning, I just want to know what you think about the argument. Paul [1] https://lists.debian.org/debian-devel/2021/08/msg00277.html
OpenPGP_signature
Description: OpenPGP digital signature
