[sf-lug] https - "improves"(?) security?

Mon Feb 22 08:38:01 PST 2016

Quoting Michael Paoli (Michael.Paoli at cal.berkeley.edu):

> Use of https just raises the bar, at least somewhat, on security.
> [...]
> E.g. it makes man-in-the-middle attacks more difficult. 
> [...]

All of this is of course true and worth noting.

However, as a reminder, what I asked was:  What specific use-case
applies to this particular example (the linuxmint.com Web site
discussed)?  I.e., for what content on the site, and what usage
modalities, would confidentiality and/or authentication be aided by
transmission over https, as opposed to http?

The point is, except for Linux Mint isos (authenticated by signed
checksums, albeit that is currently badly done), all content on the site
gets anonymously browsed, everything is non-confidential, and little is
at stake.  E.g., the various linuxmint.com sites are not ones for which
man-in-the-middle impersonation -- which requires substantial resources
to either hijack DNS or compromise key routers -- is even remotely
attractive.  

This is what I meant when I said 'On many Web sites, encrypted transport
buys little for lack of need for confidentiality, and authentication is
either relatively unimportant or is better achieved in other ways for
relevant content (e.g., gpg-signed checksums for ISOs).'  My question
amounted to:  What content on linuxmint.com am I missing, for which
https auth & privacy would be even particularly relevant/useful?

Answer turns out to be:  none.  There is a vague _general_ benefit to
https (as always, and at the cost of some performance and reachability,
e.g. over low-bandwidth connections), but nothing _specific_ on that
site, and no use-case for it, gets any significant benefit.

> Though, in many cases, https adds little to nothing.  

Which was my point.

> Also, these days, pretty easy - and *free*! - to do https.

True but not responsive to the question.

> This could also have side benefits of making it less probable that,
> e.g. mirrors, would pick up and display invalid (e.g. "hacked")
> data/information and/or that users would get or download "hacked" or
> tampered with data.

Be serious, now.  Anyone who can cache-poison or otherwise hijack users'
DNS or compromise key Internet routers isn't going to waste time doing a
MitM attack against linuxmint.com.  Against an online bank, now sure.
Not a Linux Web site that doesn't even handle money.

> On the other hand, if the site puts up hashes of ISOs on their
> website, but doesn't bother to sign the ISOs, I'm not going to
> particularly trust those hashes if they're only offered via http,
> whereas if they're offered via https ... well, a modicum of trust
> above http only.

What makes you think a MitM site cannot have a valid https cert?
Probably from DigiNotar, or the Iranian state CA.  ;->