Miłosz Tyborowski (milosz@tyborek.pl) wrote on Thu, Mar 23, 2017 at 05:16:34PM -03:

It is interesting for us too, why would one disable https?

Because it's useless and consumes a lot more resources. It's useless because an attacker that monitors your network traffic will discover what you downloaded easily by the IPs and file sizes. Mirrors are pretty well known and distro file sizes also, so it's not difficult. It's not necessary for integrity checks because packages are (or should be) signed with the distribution key, which the client knows, so the client verifies by itself if the package is correct. If the mirror is corrupted the client should refuse it. An attack on a mirror may at most freeze updates, keeping the client ignorant of new versions with security corrections. That's why distributions monitor their mirrors. It's a lot more expensive not only because of the cryptography but also (mainly?) because the bits must go through user space, which they don't with sendfile. The memory copies put a significant burden on the mirror.

Am 23.03.2017 um 20:43 schrieb Florian Pritz via arch-mirrors:

On 22.03.2017 19:51, ushi wrote:

...

i recently disabled https for archlinux.honkgong.info. Please remove https://archlinux.honkgong.info from the mirrorlist. The mirror is still available via http and rsync.

Thanks for the notification. Would you mind telling me why you disabled https? Was is due to too high load? If you don't want to pay for SSL certificates you might want to look at Let's Encrypt. You can easily get free certs (even for commerical usage) there.

Florian

Hey Florian, my certificate expired. While scrolling through the Let's Encrypt docs i checked my monitoring and realized that https usage on this mirror is close to zero. So decided to just disable it and have a nice evening :) ushi