Hacker News new | ask | show | jobs
by _9jgl 2622 days ago
Not exactly the same, but: https://whydoesaptnotusehttps.com/

tldr: if you verify the download against a trusted PGP key, it doesn't matter where the download actually came from.
3 comments
tgsovlerkhgsel 2622 days ago
Which is, IMHO, a ridiculously short-sighted approach that ignores the difference between theory and practice.

If there is a vuln in (or before) the GPG signature check, using HTTPS has a good chance of making it a lot harder to exploit (because the attacker will likely need to get into a trusted position instead of MitMing any HTTP connection).

link
sneakernets 2622 days ago
It does matter if you're behind a dumb corporate firewall that doesn't care what you're requesting, unless it's not going through HTTPS.

Why yes, this is dumb. Why yes, I can't do anything about it. This is why having an https path matters.

link
jammygit 2622 days ago
Thanks!
link