1. Forum
  2. Usenet
  3. LINUX.DEBIAN.DOC

  • http:// or https://. Does it matter?

    From Brian Potkin@21:1/5 to All on Sun Aug 15 18:10:03 2021
    � 5.1.3 in the Release Notes has

    deb https://deb.debian.org/debian-security bullseye-security main contrib

    Is the https (rather than http) seen as being better? I've always
    used http.

    Cheers,

    Brian.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Bruno Zuber@21:1/5 to Brian Potkin on Sun Aug 15 20:50:01 2021
    It seems to be "http" by default (at least it's ony my newly installed
    system). I've switched to https and everything still works. 

    "https" prevents someone from tempering with the users connection (e.g.
    man in the middle attack). However as the packages are singed anyway so
    https is "just" an additonal level of security. But why not use it if
    it comes without addtional "costs"?

    Regards
    Bruno

    On Sun, 2021-08-15 at 16:29 +0100, Brian Potkin wrote:
    § 5.1.3 in the Release Notes has

      deb https://deb.debian.org/debian-security bullseye-security main
    contrib

    Is the https (rather than http) seen as being better? I've always
    used http.

    Cheers,

    Brian.


    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Brian Potkin@21:1/5 to Brian Potkin on Sun Aug 15 22:10:02 2021
    On Sun 15 Aug 2021 at 20:24:54 +0100, Brian Potkin wrote:

    On Sun 15 Aug 2021 at 20:40:36 +0200, Bruno Zuber wrote:

    It seems to be "http" by default (at least it's ony my newly installed system). I've switched to https and everything still works.�

    Works for me too. But that wasn't what I was puzzled about.

    "https" prevents someone from tempering with the users connection (e.g.
    man in the middle attack). However as the packages are singed anyway so https is "just" an additonal level of security. But why not use it if
    it comes without addtional "costs"?

    Once it is said that all the packages are signed, everything has
    been said. A man in the middle attack would alter the signing. If
    it doesn't, packages from a regular archive would be at risk. But
    the installer uses http for the lines it puts in sources.list.

    Why are the Release Notes out of step? Are its authors more aware
    of security?

    doesn't -> does

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Brian Potkin@21:1/5 to Bruno Zuber on Sun Aug 15 21:30:02 2021
    On Sun 15 Aug 2021 at 20:40:36 +0200, Bruno Zuber wrote:

    It seems to be "http" by default (at least it's ony my newly installed system). I've switched to https and everything still works.�

    Works for me too. But that wasn't what I was puzzled about.

    "https" prevents someone from tempering with the users connection (e.g.
    man in the middle attack). However as the packages are singed anyway so
    https is "just" an additonal level of security. But why not use it if
    it comes without addtional "costs"?

    Once it is said that all the packages are signed, everything has
    been said. A man in the middle attack would alter the signing. If
    it doesn't, packages from a regular archive would be at risk. But
    the installer uses http for the lines it puts in sources.list.

    Why are the Release Notes out of step? Are its authors more aware
    of security?

    Cheers,

    Brian.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)