Why is every mirror in Ubuntu http instead of https ? It is insecure and yet anyone uses it
because they can use gpg keys to verify that shit
>>53820149
Why does it matter?
>>53820149
They did have https but their 1 year free trial from Comodo ran out.
>>53820149
If your ISP is modifying iso:s you download in-flight, you have bigger problems.
>>53820149
hobbyist projects can't afford real security
HTTPS is overrated anyway.
>>53821188
I know right, like only everyone with brains uses it
>>53820149
Perhaps unfair to blame Ubuntu: originates from Debian.
apt mirrors are verified with GPG. However, there should also be a layer of TLS: without that, you're leaking info to passive adversaries about exactly what software versions you're running - and there are potential issues with active attackers and rollbacks.
Now that Let's Encrypt is a thing, the Debian issue with CACert is moot and hopefully mirrors can move over.
>>53821065
QUANTUMCOPPER can do it to you right now on mass scale, anon. So can HackingTeam's shit - they're back in business, by the way.
Oh no. Someone on my home network might see that I'm downloading an iso.
>>53822831
https doesn't hide your url for that matter
>>53822975
It does hide your pathname. (For this thread: /g/thread/53820149/why-no-https)
What it doesn't hide is your hostname (due to unencrypted SNI in current TLS versions, although things are still uncertain about TLS 1.3 - and, of course, due to the inevitable DNS request you'll have to make that almost certainly won't use DNSCurve/etc).
i.e. a passive attacker can see right now that you're reading and/or shitposting on boards.4chan.org, but they can't see which board or thread you're frequenting - that one's reserved for hiroshimoot (and Cloudflare).
>>53823024
thx for clarifying
