On Tue, Mar 14, 2017 at 12:39:04AM -0400, Chris Laprise wrote: > On 03/14/2017 12:03 AM, InfusingPrivacy wrote: > >As part of my exploration of Qubes, I took a look inside yum.repos.d and I > >noticed that there were quite a few repos that used http. Most are default > >fedora repos, but some are Qubes repos, which raised a question of curiosity > >(primarily for discussion): > > > >Would it be helpful if certain Qubes repos used HTTPS? Why or why not? > > > >I'm not going to claim to know all of the details and I don't wish to > >dictate what Qubes devs should do, but I guess my question is more of the > >tone: (if it helps and if it is not much of a hassle, why not? HTTPS should > >be more secure than HTTP) > > > >My only guess as to why not would be: the GPG keys are sufficient? > > > > GPG is sufficient for verification, although using HTTPS would conceal which > software packages you are using > > Qubes developers are already preparing to do most distribution over Tor > services, which makes HTTPS somewhat moot. >
I think that the idea that HTTPS will conceal which software package is being installed is illusory in many cases, because the fingerprints can be easily identified. In the Qubes case, where the number of packages is relatively small, it should be easy to identify which packages were being downloaded. The very fact that that site is being accessed would probably be enough to inform an eavesdropper of the likely packages. The move to Tor does make this still more difficult, but again, the correlation of a number of requests to what are relatively uncommon sites may be enough to identify a Whonix or Qubes user. (I should say that I don't know what is in the Whonix repos but the Qubes ones contain relatively few packages.) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170315010046.GB13981%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
