![[TEST] Document Foundation Community](https://communitytest.documentfoundation.org/images/discourse-logo-sketch.png){kind=logo}
I'm amazed and surprised none of your webpages -- including the downloads
-- are via secure/encrypted connections ("https://" or otherwise).
There's absolutely no reason ANY website should be doing this.
I refuse any site, not to mention download anything from them, if
connections aren't secure and encrypted.
BIG oversight on your behalf.
That's odd. When I log on to Libreoffice.com, I use (e.g)
https://www.libreoffice.org/download/libreoffice-fresh/, which is, of
course, encrypted.
The libreoffice.org website is served through both http and https.
For what it's worth, I doubt it's an oversight at all: in some
circumstances, people can have difficulty to access websites through TLS
connections (sadly). Still, the secure alternative is available. In fact,
the first answer in google for "libreoffice" is the https version.
Keep in mind that using https by itself just mean that the server's
identity is verified by a third party and that the connection isn't
tampered with. The trust to give to this "third party" is another matter 
Out of interest, what benefit do you think you will have from an https
connection to the LibreOffice site?
As all the information is being downloaded, and not uploaded, and is
publicly available, there is no security from the encryption; anybody
can get the same data you are accessing. The verification of the domain
is useful, but does still rely on trusting the DNS servers. The download
itself can be verified through other, better means to ensure it is good,
although this does again rely on the website not having been hacked,
which https does nothing to ensure. Although using encryption does
prevent your ISP throttling the download, I didn't think that was
common with http traffic, more with bittorrent traffic. The target IP
address is also available, so https doesn't prevent people from keeping
tabs on which sites you visit. Encrypted traffic does also prevent your
ISP inserting ads, but do any ISPs actually do this?
The added verification of the domain is useful (although not absolute),
and the general feeling that all internet traffic should be encrypted
to prevent tracking and throttling is also valid, but the post was
strongly worded, so I wondered if you had a particular need for
encrypted traffic instead of normal.
Paul
PS. I find the tone of the message to be a little strong,
especially given that you are mistaken in your belief, and a simple
test would have verified that. Given your sentiments about unencrypted
traffic, you are of course fully entitled to simply not use the
LibreOffice site or software. If you do wish to use it, politeness and
respect will get you much further in this community.
I may be completely wrong in this assumption, but from the tone of your
message, and the strong view that you will not use any unencrypted
sites, in addition to your not doing a simple check to see if an
encrypted version of the site was available, leads me to suspect that
you misunderstand how https connections work, and the benefits they
provide and the risks plain http present. Perhaps the situation is not
as dire as you suspect.
As all the information is being downloaded, and not uploaded, and is
publicly available, there is no security from the encryption; anybody
can get the same data you are accessing. The verification of the domain
is useful, but does still rely on trusting the DNS servers. The download
itself can be verified through other, better means to ensure it is good,
although this does again rely on the website not having been hacked,
which https does nothing to ensure.
HTTPS does some stuff to make the download safer: assuming the server's
private key itself was not accessed by an attacker, AND assuming the third
party certificate authority didn't issue a bogus certificate.
In that case, we can reasonably think that what is shown accessing
https://libreoffice.org really originate from libreoffice.org. This
includes the files and the hash fingerprints provided as a way to check the
downloaded files.
One could argue that the download themselves could be served over HTTP for
efficiency, and only the hashes needs to go through HTTPS, but pushing
everything through TLS is not that troublesome.
Of course, we assume that some bases are correct. And that's ignoring other
ways of attack: corporate "nosey" decrypt-all routers, user accepting
invalid certificates, browser hijacking, etc.
All in all, providing HTTPS access with a verified certificate does add
something, even for a public project that only provide files to the users,
but it's not completely secure just because of the https green thingy.
PS. I find the tone of the message to be a little strong,
Agreed.