On Sat, Dec 17, 2016 at 06:18:41PM -0000, johnyju...@sigaint.org wrote: > While updates are signed, so even if they come over the wire in cleartext, > the fact that they often are sent in the clear (even from debian.net) > allows a snooper to know what packages your scanning for metadata or > installing. It reveals a lot about the state of your system. > > Updating over Tor or a VPN helps a bit. Updating to debian's hidden > service is even more ideal, no https in between with > state-actor/CA-forgeable certificates possible, etc.. > > However, Qubes updates aren't available via Tor. > > I do notice, however, that the qubes repository will allow changing the > "http" to "https" in the qubes entry /etc/apt/sources.list.d/. (You'd > have to install "apt-transport-https" too.) > > Do the Qubes folks have a problem with this? It'd put extra load on the > servers, so I thought I'd ask. > > I might suggest it would make a good default, if the load wouldn't be > unacceptable. > > Cheers, > > -d > This has been under discussion in qubes-issues for some time. apt-transport-https is installed by default, so you can change that if you want.
There was a proposal to make debian updates use https by default. It wasnt accepted. Debian security updates aren't available by https so that part will always come plain. You can change the rest to use https. The benefits of doing this are almost entirely illusory. It's pretty trivial to identify packages being transferred under https, so a competent snooper wouldn't be hampered. I assume you mean that Qubes updates aren't available as an onion service. I offered to set this up some time back but it wasnt thought a priority. There used to be such a service but it's long out of date now. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20161218015011.GB3954%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
