[CentOS-mirror] SSL for mirrors?

Wed Jan 18 01:38:10 UTC 2017
Ryan Nix <ryan.nix at gmail.com>

The performance hit is negligible, especially for someone like Northwestern that is part of Internet2. We also have a SSD drive pushing the bits on the mirror. Personally, there is no reason not to use SSL wherever possible, especially with Let’s Encrypt being free and automated. There is a reason Google gives preferential rankings to sites that use SSL. Yes, there are checksums on the CentOS ISOs and packages, but how many people actually do that after a download? Using SSL reduces the need to checksums.

> On Jan 17, 2017, at 7:52 AM, cdnops at as250.net wrote:
> 
> Dear Ryan,
> 
> I am curious...
> 
> which advantages did you intend to get out of the redirect?
> 
> imho doesn't offer any increase in security at all:
> 
> 1) The packages are signed, so their integrity is protected.
> 
> 2) Confidentiality of the request is already broken before the redirect.
> 
> 3) MITM/Downgrade can already happen there.
> 
> So unless HTTPS becomes standard delivery method or HSTS is honored,
> this is a moot exercise anyway that just leads to lower performance.
> 
> If HTTPS becomes the standard delivery method, against which CA base
> will certificates be checked? Having signed packages already solves this
> problem nicely and at the most convenient layer.
> 
> Please don't get me wrong... generally I think enabling TLS is a
> great idea, but in this case I'm doubtful of the benefit.
> 
> Kind regards
> AS250.net
> CDN OPS
> _______________________________________________
> CentOS-mirror mailing list
> CentOS-mirror at centos.org
> https://lists.centos.org/mailman/listinfo/centos-mirror