Hacker News new | ask | show | jobs
by _wmd 2705 days ago
Every time this site comes up people entirely miss the point in this regard -- Debian operates a large voluntary network of mirrors. You are not trusting content coming from Debian, you're trusting it coming from the mirror. SSL only secures the link between the client and the potentially compromised mirror, it does not solve problems like the one from the article.

Meanwhile it's worth pointing out that OpenSSL has historically been one of the buggiest pieces of code in existence. Despite this being a game over RCE, it's the first of its kind in many years. If OpenSSL had been in the mix, Apt would have required forced upgrades /far/ more often. https://www.openssl.org/news/vulnerabilities.html
1 comments
raesene9 2705 days ago
I don't think that an argument that using HTTPS actively decreases the security of a connection really holds all that well.

If you don't think OpenSSL is a high enough quality implementation, there are many others to choose from.

Even with a range of mirrors, it would still raise the bar for attackers, to require HTTPS.

link