Security against your client-server communications' contents being observed by third parties. So here https ... gives ... confidentiality ... to ... public ... images. Well that's useful !
It does not prevent server spoofing attacks (as in attackers changing the code you boot) in 99% of situations. Nor man-in-the-middle protection ...
So what's the point of https in this situation ? Certificate, cert pinning, ... are all useless in this situation (certificate only helps on repeat visits, which of course never applies in this situation. Cert pinning only helps for specific sites (not this one) and even if it did, only when the originating software is really up to date (which is just not going to be the case here).
So you can just as well say that http is perfectly secure in this case. Or at least ... as secure as https is going to be.
There's quite a bit more to security than "use https".
It ensures the response from the webserver really is from netboot.xyz, and not from any mitm server.
> It does not prevent server spoofing attacks (as in attackers changing the code you boot) in 99% of situations. Nor man-in-the-middle protection ...
Can you elaborate? How would you spoof the server response without having a valid certificate key for the netboot.xyz domain?
I think this is referring to the server being compromised. This isn't something that can be solved easily because while the bootloader could include signify[1] to verify its downloads, the bootloader itself can't be verified with anything. (disclaimer: I don't know very much about iPXE)
http://boot.netboot.xyz
which in turn does
http[s]://boot.netboot.xyz/menu.ipxe