[CentOS-mirror] SSL for mirrors?

Levi Pihema-Lindsay levi at 2prointl.co
Wed Jan 18 01:40:57 UTC 2017 

Actually,

If a master mirror gets hacked, and an ISO replaced, the modified copy will be rsync'd to the mirrors. So, it's still in people's best interests to (even if downloading over SSL) checksum the ISO

-L

> On 18/01/2017, at 2:38 PM, Ryan Nix <ryan.nix at gmail.com> wrote:
> 
> The performance hit is negligible, especially for someone like Northwestern that is part of Internet2. We also have a SSD drive pushing the bits on the mirror. Personally, there is no reason not to use SSL wherever possible, especially with Let’s Encrypt being free and automated. There is a reason Google gives preferential rankings to sites that use SSL. Yes, there are checksums on the CentOS ISOs and packages, but how many people actually do that after a download? Using SSL reduces the need to checksums.
> 
>> On Jan 17, 2017, at 7:52 AM, cdnops at as250.net wrote:
>> 
>> Dear Ryan,
>> 
>> I am curious...
>> 
>> which advantages did you intend to get out of the redirect?
>> 
>> imho doesn't offer any increase in security at all:
>> 
>> 1) The packages are signed, so their integrity is protected.
>> 
>> 2) Confidentiality of the request is already broken before the redirect.
>> 
>> 3) MITM/Downgrade can already happen there.
>> 
>> So unless HTTPS becomes standard delivery method or HSTS is honored,
>> this is a moot exercise anyway that just leads to lower performance.
>> 
>> If HTTPS becomes the standard delivery method, against which CA base
>> will certificates be checked? Having signed packages already solves this
>> problem nicely and at the most convenient layer.
>> 
>> Please don't get me wrong... generally I think enabling TLS is a
>> great idea, but in this case I'm doubtful of the benefit.
>> 
>> Kind regards
>> AS250.net
>> CDN OPS
>> _______________________________________________
>> CentOS-mirror mailing list
>> CentOS-mirror at centos.org
>> https://lists.centos.org/mailman/listinfo/centos-mirror
> 
> _______________________________________________
> CentOS-mirror mailing list
> CentOS-mirror at centos.org
> https://lists.centos.org/mailman/listinfo/centos-mirror

More information about the CentOS-mirror mailing list