HTTPS is not applied to the video streams

[aef]

The page itself is displayed through HTTPS but it seems the actual video content is loaded through plain HTTP. Therefore an attacker can observe and/or manipulate the delivered video stream quite easily. This also means that the privacy expectations when watching the videos through the HTTPS site are reduced to zero.

Is this because not every member of the CDN supports HTTPS? Or is this just a programming mistake? In the former case, couldn't you make another DNS pool which only contains servers capable of HTTPS and link to that in case the media site is requested via HTTPS? Because at least some of the CDN server seem to be able to deliver HTTPS just fine.

[manno]

We're not using a DNS pool, we're using a http redirector (mirrorbrain). While this is a known problem, it's also very low priority. I'm currently rewriting parts of mirrorbrain in Go, so https aware mirror selection may be possible in the future.

However let me discuss the two scenarios you describe:

• Attacker is able to manipulate http connections (mitm) and is in possesion of a working exploit against the users browser or video player
  The attacker could inject malicous code into any http connection. While we may fix this for media.ccc.de, I find it highly unlikely a user would never visit http sites.
• Privacy
  Sure, as with FTP and bittorrent an attacker could passively monitor traffic to deduce which videos are being watched by whom. Your searches and browsing behaviour are protected though.
  However we do not control the mirrors and we do not have a 'vetting process' for mirrors in place. Mirror owners could store and share your IP, Useragent, etc. As stated in our privacy policy (https://media.ccc.de/about.html): " Video and audio files are often provided by mirrors and are not covered by this policy."

Sorry there is no easy fix (yet).