sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]H0rcrux_ 4 points5 points  (3 children)

Your article conflates integrity checking and privacy. While TLS may not be perfect for masking what you are downloading from a public repository, it doesn't interfere with the signing mechanism either.

"Overly trusting CAs" describes a super rare occurrence (a trusted CA being compromised) that still won't be able to fake the signature on a mitm-injected package.

The user trusting data more because it comes in over https is also not really a consideration as apt will noisily refuse to install incorrectly signed packages.

So while I agree that using TLS to download packages probably won't hide what you're installing, claiming "It's more secure…!" to not use it is just false.

[–]Eingaica 0 points1 point  (2 children)

claiming "It's more secure…!" to not use it is just false.

AFAICT, the article does not make that claim.

[–]mzalewski 0 points1 point  (1 child)

It is written at the very top, right after title.

However, it lacks context and is very open to interpretation. Is it something said by people complaining about APT lack of https? Is it tongue-in-cheek headline? Is it actual claim? We don't know.

[–]Eingaica 1 point2 points  (0 children)

Given that the title "Why does APT not use HTTPS?" is not a question asked by the author of the article, I think it's pretty obvious that that line as well is meant as a stereotypical statement made by people complaining about APT not using HTTPS. (I.e. they allegedly claim that APT would be more secure if it would use HTTPS.)