On Thu, Jul 03, 2014 at 11:05:17AM -0400, Hans-Christoph Steiner wrote:
I definitely agree there are legitimate concerns that using HTTPS on apt
mirrors would help, and people who suggest otherwise are out of date on what
the threats are. I think the integrity of the package itself is not reason
enough to use HTTPS since the GPG signing is much more reliable for that task.
I break it down into 4
1. package authenticity
(software can be modified while being downloaded)
2. repo availability
(internet services can be blocked by governments and companies)
3. package availability
(software security updates can be individually blocked)
4. who’s downloading what package (currently visible to anyone who can see the
network traffic, including open wifi, etc.)
The current apt model covers #1 well, but only covers #2 and #3 with a two week
window (the expiration date on the repo metadata). And it does not cover #4 at
all.
HTTPS won't address #1 completely in the presence of mirrors, and debian
doens't have the resources to serve all users without mirrors. It will
not address #2. It may address #3, but less reliably than the current
siutation. It may make #4 harder for certain scenarios, but not others
(traffic analysis of specific host).
Something like tor will be a better solution for #2, & #4 while the
current system provides #1 & #3. (And also provides #2 for all practical
purposes, given the length of the mirror list.)
Mike Stone
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
https://lists.debian.org/e4cb4f22-02c8-11e4-904c-00163eeb5...@msgid.mathom.us
