Can't be bothered to do the exact stats now on how many Debian mirrors support HTTPS, but seems like more than 33%, less than 66%.
Yes, the shell monstrosity is fugly.
You do of course realize that leaked certs don't provide worse security than no cert...
Right now, RCE on the most popular Linux distributions at public networks around the world is a simple mitmproxy away. This has happened repeatedly, and every time infosec says the same thing: TLS would have made this attack too expensive for 99% of attackers. All we ever hear back is inane comments like "it's just this once" or "we verify the signatures, it doesn't really matter".
Once again, TLS would have stopped 99% of attackers, and stops them in the future. Who knows who else found this before it was disclosed? There will never be no security bugs. Nobody is going to stop looking for bugs. Just like nobody stopped looming for bugs in any other program that switched to TLS.
And in the process, stop countless abusive spouses, stalkers, and bosses from installing spyware on computers all over the world.
But no, if it doesn't stop a state adversary, of course it serves no purpose in your self-absorbed thought experiment.
yeah man, TLS definitely stops abusive spouses, stalkers and bosses from installing spyware on computers.
It literally does in this case. I don't think you understand how hard it is to exploit a CA, versus how trivial this attack is.
you must be smoking some real good shit to come up with this threat model!
see, if i want to spy on what my spouse is doing, i will just put a RAT on their computer, which will take screenshots and log keystrokes.
i would definitely not suggest anyone come to you for espionage strategies.
i mean, i want to reiterate: your threat model is really bizzare! if i am a boss or jealous spouse, i have physical access to the machine! why do i need to fuck around with an MITM at all?
One of my coworkers has a stalker. You think this is outside of their threat model?
@kaniini Seeing what packages are requested, particularly during major upgrades / release updates, is effectively identical to transferring your local package list to the server. Or, over HTTP transport, all points between you and same.
You seem to have strong feelings, violent tendencies, and little actual clue as to security. This has proved a poor mix in my experience. I hope your mileage differs.
I somehow doubt it.
@levi Yeah, but the _other_ dog in this fight is a space alien cat.
Who's a girl gonna bet the bank on in this mad mad mad mad mad mad world?
@levi ooooohhkaaay, (but that site is a normal forum and not in the fediverse, is it?)
Look, I don't enjoy name-calling and ad personam arguments regadles of which side of the discussion I am on.
If you want to call people autists, do it somewhere where I don't have to interface with it.
@maswan I would say HTTPS makes the set of people able to exploit it *considerably* smaller. And again, I am not saying the bug should not be fixed -- it absolutely should.
But people make mistakes, bugs happen, and defense in depth is a thing. HTTPS would make exploitation considerably harder.
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!