the sane proposal would be to default to https mirrors only by default, and allow people to choose less secure mirrors at their leisure. but https is a solved problem, and outside of apathy there's absolutely no reason to host an http-only content mirror in 2019
Debian: "We don't need to use HTTPS, we sign our packages! Check out whydoesaptnotusehttps[.]com!"
https://lists.debian.org/debian-security-announce/2019/msg00010.html …
https://justi.cz/security/2019/01/22/apt-rce.html …
Oops.
*This* is why you use HTTPS. Defense in depth. Take note @videolan.
-
-
This Tweet is unavailable.
-
- Show replies
-
-
-
This Tweet is unavailable.
-
Why do you need to be NSA to capture the victim's traffic? And how capturing https differs from http in that regard?
- Show replies
-
-
-
A condescending note never helps, you know.
-
Some people don't learn until they get pwned (or get shown how people get pwned) - this is how
@videolan closed the ticket with "no threat model, no proof". HTTPS is *still* a good idea even if you think your update signature model is bulletproof, for exactly this kind of reason. - Show replies
New conversation -
-
-
Note taken.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Should Apple take note as well? iOS has been doing updates over HTTP for a loooooong time.
-
Well, I mean, Apple wrote their own HTTPS implementation anyway, and then 'goto fail' happened, so maybe Apple users are screwed either way ;-)
- Show replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.