[clamav-users] Database updated over unencrypted connection?

[Dave Warren]

On 2019-03-15 09:53, Franky Van Liedekerke via clamav-users wrote:
> I wonder why the http/https discussion is still relevant. Almost all sites use https now, http is getting slowly banned and a lot of companies just don't want to allow incoming http traffic towards a server. Certifcates cost nothing anymore (you have free ones), so that's no longer an issue too. And the cpu issue might've been relevant years ago, but it shouldn't be now (offloading https to a high-performant frontend server can help if you really have issues).
> Just my 2 cents here ...

One other consideration here is historical: ClamAV relied on donated 
mirrors, some of which struggled to keep a bare minimum configuration 
working. Deploying HTTPS and getting the mirror operators to keep up 
with certificates, secure TLS configuration and other details would add 
a lot more load to what I understand was already a challenge for the 
ClamAV team.

The situation has changed somewhat today with Cloudflare's involvement 
as there would only be one party involved in deploying certificates to 
all nodes, and a party that can sign and maintain certificates 
themselves completely automatically at that.

As noted elsewhere in the thread, freshclam work needs to be done before 
freshclam itself could actually use this capability.