Post by Bruno Haible Post by Tim Ruehsen
I updated the links in users.txt to HTTPS where possible (manually
checked). For outdated links I tried to find the current valid links.
Thanks a lot! I've applied it in your name. The rationale, for me, is that
http and ftp are vulnerable to man-in-the-middle attacks .
Thanks, and yes, MITM active and passive (reading content) attacks are my
rationale as well.
It is pretty bad, that many announcements still point to our ftp and http
sites. How many downloaders check the signatures manually ? 1% ?
Am I the only maintainer using HTTPS (for wget announcements) ?
I already thought about dropping the reference to http://ftpmirror.gnu.org/.
There is no HTTPS pendant.