The performance hit is negligible, especially for someone like Northwestern that is part of Internet2. We also have a SSD drive pushing the bits on the mirror. Personally, there is no reason not to use SSL wherever possible, especially with Let’s Encrypt being free and automated. There is a reason Google gives preferential rankings to sites that use SSL. Yes, there are checksums on the CentOS ISOs and packages, but how many people actually do that after a download? Using SSL reduces the need to checksums. > On Jan 17, 2017, at 7:52 AM, cdnops at as250.net wrote: > > Dear Ryan, > > I am curious... > > which advantages did you intend to get out of the redirect? > > imho doesn't offer any increase in security at all: > > 1) The packages are signed, so their integrity is protected. > > 2) Confidentiality of the request is already broken before the redirect. > > 3) MITM/Downgrade can already happen there. > > So unless HTTPS becomes standard delivery method or HSTS is honored, > this is a moot exercise anyway that just leads to lower performance. > > If HTTPS becomes the standard delivery method, against which CA base > will certificates be checked? Having signed packages already solves this > problem nicely and at the most convenient layer. > > Please don't get me wrong... generally I think enabling TLS is a > great idea, but in this case I'm doubtful of the benefit. > > Kind regards > AS250.net > CDN OPS > _______________________________________________ > CentOS-mirror mailing list > CentOS-mirror at centos.org > https://lists.centos.org/mailman/listinfo/centos-mirror