Yeah true, but the arguments for tls default ring a bit hollow, to me at least.
Someone who really wants the defense-in-depth should probably be switching to onion sources anyway, I was impressed with how quick they were.
As the article says, replay attacks are voided and an adversary could simply work out package downloads from the metadata anyway.
I personally use https out of general paranoia, but understand the arguments for not changing. It's two extra lines in a server setup script.
As the article says, replay attacks are voided and an adversary could simply work out package downloads from the metadata anyway.
I personally use https out of general paranoia, but understand the arguments for not changing. It's two extra lines in a server setup script.