On 2021-08-20 20:52:43 +0200 (+0200), Paul Gevers wrote: [...] > I was told and I relayed early in this thread [1] that https gives you > some (delayed) protection against man-in-the-middle attacks serving you > old data. Does everybody agree that this is either not prevented or not > giving you more security or is an extremely unlikely security threat? > Because when I thought about it, it did make sense, but I'm not somebody > that thinks about security for a profession, nor do I claim to be any > expert at all on the topic. > > I'm not saying that explaining this is worth more than the > https-as-default-for-the-noob reasoning, I just want to know what you > think about the argument. [...]
It shrinks the window, but there are already safeguards preventing use of stale indices based on coarse timestamping. At best a MitM could quietly block you from downloading security updates until the old indices they're injecting expire, but they can also more noisily prevent you from downloading security updates for far longer, regardless of whether you use HTTPS as a transport. -- Jeremy Stanley
signature.asc
Description: PGP signature
