Florian Lohoff <[email protected]> writes: > On Mon, Oct 15, 2018 at 12:22:34PM +0200, Toke Høiland-Jørgensen wrote: >> > The integrity of debian packages is guranteed by their hash >> > in the Packages file which is signed by a gpg signature. >> > So https is not needed for integrity and fetching from >> > a debian mirror does not need confidentially. >> >> Sure it does. Otherwise an observer has a list of all packages installed >> on your system, which, apart from the obvious privacy implications, also >> potentially has security implications (an attacker can know which >> vulnerable package versions are installed on the system). > > As the attacker knows you are connecting to a debian repository its a > pretty simple guess from file/request size to the package. > > Because you cant read the data doesnt mean you are safe. Metadata is > most of the time enough.
Sure, https is no panacea. I was just disputing the assertion that it has *no* value... -Toke
