-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Joel Rees: > On Fri, Jul 4, 2014 at 11:44 AM, Hans-Christoph Steiner > <h...@at.or.at> wrote: >> >> [rhetoric encouraging the use of TLS transport for mirrors] [list >> of current https mirrors] > > Far be it from me to argue with ucalgary.ca, but one thing that > bothers me about using TLS as a download transport is that, if I > were the spooks, and I wanted a huge sample of crypts from a known > plaintext, I could think of worse ways to go than to get the > opensource crowd to provide them for me.
Any popular site with relatively static content would do that. Apple store or Play store would probably provide a more useful dataset for them anyway. But if you configure it and the clients to favor ephemeral keys you reduce the usefulness of captured traffic in being able to simulate the server itself. > I mean, yeah, they probably have the resources to simulate the > debian download infrastructure in their internal server farms, but > why do their work for them and free their resources up for other > jobs? I'm not sure that's a realistic scenario. > Especially when the only real advantage of using TLS download > transport is (the illusion of) being able to download what you > want without "them" knowing exactly what you downloaded. Yeah they could probably infer it based on the session size. They do that for other encrypted streams, like determining successful SSH logins. But TLS also serves as a sort of sloppy authentication mechanism, assuring you that someone someplace has vouched for the fact that you've connected to the system you intended to connect to. It's not terribly useful when you already sign your packages, but layers etc. - -- I prefer encrypted email. Get my key here: http://www.louruppert.com/keys/115DCF62.asc PGP Fingerprint: 3261 B9F9 9363 D512 56F8 12DD 127F 4D6A 115D CF62 -----BEGIN PGP SIGNATURE----- iEYEAREKAAYFAlO2y64ACgkQEn9NahFdz2JUNQCgjZChVYQEwELRqLg7uweq86Ee 3IQAoKWjpfzBeTnHpoMbmfirx6N7oMDU =F6xl -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53b6cbae.4040...@louruppert.com
