Mirror sites should be only available via HTTPS
Erdos Pal
erdospal at mail.com
Thu Jan 5 06:29:17 UTC 2017
Hello,
is there a policy (or in planning) that the Mirror sites for Ubuntu related softwares should be only available via HTTPS?
It is 2017 and there is Let's Encrypt.
Example if I go to https://www.ubuntu.com/download/desktop/thank-you?country=GB&version=16.04.1&architecture=amd64
Just to download Ubuntu, I will be redirected to:
http://releases.ubuntu.com/16.04.1/ubuntu-16.04.1-desktop-amd64.iso
What is in plain HTTP! What?
I know that HTTPS has issues (related to BGP, or the CA system)
https://www.youtube.com/watch?v=iG5rIqgKuK4
https://www.youtube.com/watch?v=LTtvE9jNv84
But the overall risk (impact x probability) would be better if there would be a policy to only use HTTPS in the whole infrastructure.
Even the webbrowsers will mark the plain HTTP pages as non-secure:
https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html
https://www.youtube.com/watch?v=e6DUrH56g14
Thank you.
More information about the Ubuntu-devel-discuss
mailing list