Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Fwd: [Tails-dev] download over http by default?

adrelanos adrelanos at
Mon Jul 1 10:40:00 PDT 2013

Originally posted on Tails-dev by Jacob Appelbaum. Interesting,
important topic. Thanks! I took the freedom to forward it to
liberationtech, since one of the topics lately was "the tool doesn't
exist". Just as reference.

-------- Original Message --------
Subject: [Tails-dev] download over http by default?
Date: Sun, 30 Jun 2013 00:46:27 +0000
From: Jacob Appelbaum <jacob at>
Reply-To: The Tails public development discussion list <tails-dev at>
To: The Tails public development discussion list <tails-dev at>


When upgrading a tails machine today, I noticed that the default
download link is HTTP. We've done some statistics on the number of users
that actually bother to download signatures - it basically borders on
none for some software. Does Tails find that for every ISO, users
download the signature? Ten to one? Perhaps one out of ever thousand

I really strongly encourage that the default download link should be
secure - if there was a tool to download updates and it automatically
checked the signatures, I'd think it was perhaps OK to use HTTP.
Probably not but well, I could at least believe that someone might
complete both steps. Without such a tool, I think this is merely a
recipe for disaster.

We carry a secure mirror here:

If you guys can't handle HTTPS traffic, I really encourage you to link
to our HTTPS site as the default. If nothing else, I believe that some
browsers also pin our certs. That at least changes the game to something
a bit harder.

All the best,
tails-dev mailing list
tails-dev at

More information about the liberationtech mailing list