[arch-mirrors] Drop HTTPS support for archlinux.honkgong.info

Carlos Carvalho carlos at fisica.ufpr.br
Thu Mar 23 20:25:11 UTC 2017

Miłosz Tyborowski (milosz at tyborek.pl) wrote on Thu, Mar 23, 2017 at 05:16:34PM -03:
> It is interesting for us too, why would one disable https?

Because it's useless and consumes a lot more resources.

It's useless because an attacker that monitors your network traffic will
discover what you downloaded easily by the IPs and file sizes. Mirrors are
pretty well known and distro file sizes also, so it's not difficult.

It's not necessary for integrity checks because packages are (or should be)
signed with the distribution key, which the client knows, so the client
verifies by itself if the package is correct. If the mirror is corrupted the
client should refuse it. An attack on a mirror may at most freeze updates,
keeping the client ignorant of new versions with security corrections. That's
why distributions monitor their mirrors.

It's a lot more expensive not only because of the cryptography but also
(mainly?) because the bits must go through user space, which they don't with
sendfile. The memory copies put a significant burden on the mirror.

More information about the arch-mirrors mailing list