Mirror sites should be only available via HTTPS
erdospal at mail.com
Thu Jan 5 06:29:17 UTC 2017
is there a policy (or in planning) that the Mirror sites for Ubuntu related softwares should be only available via HTTPS?
It is 2017 and there is Let's Encrypt.
Example if I go to https://www.ubuntu.com/download/desktop/thank-you?country=GB&version=16.04.1&architecture=amd64
Just to download Ubuntu, I will be redirected to:
What is in plain HTTP! What?
I know that HTTPS has issues (related to BGP, or the CA system)
But the overall risk (impact x probability) would be better if there would be a policy to only use HTTPS in the whole infrastructure.
Even the webbrowsers will mark the plain HTTP pages as non-secure:
More information about the Ubuntu-devel-discuss