MiĆosz Tyborowski (milosz@tyborek.pl) wrote on Thu, Mar 23, 2017 at 05:16:34PM -03:
It is interesting for us too, why would one disable https?
Because it's useless and consumes a lot more resources. It's useless because an attacker that monitors your network traffic will discover what you downloaded easily by the IPs and file sizes. Mirrors are pretty well known and distro file sizes also, so it's not difficult. It's not necessary for integrity checks because packages are (or should be) signed with the distribution key, which the client knows, so the client verifies by itself if the package is correct. If the mirror is corrupted the client should refuse it. An attack on a mirror may at most freeze updates, keeping the client ignorant of new versions with security corrections. That's why distributions monitor their mirrors. It's a lot more expensive not only because of the cryptography but also (mainly?) because the bits must go through user space, which they don't with sendfile. The memory copies put a significant burden on the mirror.