Hacker News new | past | comments | ask | show | jobs | submit login

This is a persistent myth https://istlsfastyet.com



I've seen whonix say this

https://www.whonix.org/wiki/Download_Security

>Practically it is difficult to provide SSL protected downloads at all. Many important software projects can only be downloaded in the clear, such as Ubuntu, Debian, Tails, Qubes OS, etc. This is because someone has to pay the bill and SSL (encryption) makes it more expensive. At the moment we don't have any mirror supporting SSL. We're looking for SSL supported mirrors to share the load.

Is it not true that mirrors supporting SSL are more expensive?


No, it's not true anymore. From the link you replied to:

"On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10 KB of memory per connection and less than 2% of network overhead. Many people believe that SSL/TLS takes a lot of CPU time and we hope the preceding numbers will help to dispel that." - Adam Langley, Google

Getting an SSL certificate used to be a cost, but that's taken care of now by https://letsencrypt.org/.


So can you recommend a mirror for them that supports SSL?

There are multiple named projects there that aren't using SSL, and I don't think it's just laziness. If you know of a way for them to use SSL mirrors for no additional cost, I'll work on getting them to switch over.


Debian, Ubuntu, Qubes, and others are on https://mirrors.kernel.org.

I suspect that wiki page you linked might be out of date. It seems like all of the Whonix download links on their website are over https, like the VirtualBox images https://www.whonix.org/download/12.0.0.3.2/Whonix-Workstatio....

Whonix also runs a tor mirror, which has significantly more overhead than TLS.


I know the last time I played with Whonix it was http, so I think you're right that it's a recent change.

For tails: https://tails.thecthulhu.com/. It appears to be the same server behind http://dl.amnesia.boum.org/ based on the TLS cert.

The situation is messy to actually use https for all of these projects, but I think the issue now is organization rather than overhead.


Huh. The language there seems to be from 2013.

I seem to remember downloading whonix from their site over HTTP around a year ago.

Do you see a tails HTTPS mirror?


This is only true for Intel and AMD x86_64 servers that have hardware accelerated AES with the AES-NI instruction set. Software implementations of AES and the other ciphers are much, much slower than AES with hardware acceleration. RC4 was the fastest decent software cipher for a while, but that has been found to be insecure and its use is discouraged. The fastest possible replacement would probably be ChaCha20, but that cipher is not widely supported yet. The other software ciphers are very slow, and certainly wouldn't be considered as "fast yet".




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: