Discussion:
[PATCH] Update users.txt to HTTPS
Tim Ruehsen
2017-02-16 10:27:08 UTC
Permalink
Hi,

I updated the links in users.txt to HTTPS where possible (manually checked).
For outdated links I tried to find the current valid links.

newts: Could find anything, thus you see a ? prepended

Regards, Tim
Bruno Haible
2017-02-16 12:46:56 UTC
Permalink
Post by Tim Ruehsen
I updated the links in users.txt to HTTPS where possible (manually checked).
For outdated links I tried to find the current valid links.
Thanks a lot! I've applied it in your name. The rationale, for me, is that
http and ftp are vulnerable to man-in-the-middle attacks [1].

Bruno

[1] https://lists.gnu.org/archive/html/bug-gnulib/2017-01/msg00102.html
Tim Ruehsen
2017-02-16 14:10:26 UTC
Permalink
Post by Bruno Haible
Post by Tim Ruehsen
I updated the links in users.txt to HTTPS where possible (manually
checked). For outdated links I tried to find the current valid links.
Thanks a lot! I've applied it in your name. The rationale, for me, is that
http and ftp are vulnerable to man-in-the-middle attacks [1].
Bruno
[1] https://lists.gnu.org/archive/html/bug-gnulib/2017-01/msg00102.html
Thanks, and yes, MITM active and passive (reading content) attacks are my
rationale as well.

It is pretty bad, that many announcements[1] still point to our ftp and http
sites. How many downloaders check the signatures manually ? 1% ?

Am I the only maintainer using HTTPS (for wget announcements) ?
I already thought about dropping the reference to http://ftpmirror.gnu.org/.
There is no HTTPS pendant.

[1] http://lists.gnu.org/archive/html/info-gnu/2017-02/index.html

Regards, Tim

Loading...