HTTPS isn't so much about security as it is about privacy. Maybe we should have called it HTTPP or PHTTP.
Most Debian packages can be uniquely identified by request+response length, so absent some trickery with HTTP ranges, HTTPS provides no privacy there. They should be using HTTPS because when people download packages by hand, they don't do the verification that APT normally does.
-
-
It's kind of perverted to think of privacy as "no one can figure out my secrets" when what it really means is "I have control over my secrets." We already know that length inspection attacks can be somewhat foiled by padding which TLS 1.3 and HTTP/2 both offer.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.