Re: client-side signature checking of Debian archives

To: debian-devel@lists.debian.org
Subject: Re: client-side signature checking of Debian archives
From: Kristian Erik Hermansen <kristian.hermansen@gmail.com>
Date: Sun, 23 Oct 2016 17:59:02 -0700
Message-id: <[🔎] CAPgP4gy_nLJkOUmrVmgZMgd=SDMQ-QHE0ZOQbsFV25CBG2++Pw@mail.gmail.com>
In-reply-to: <[🔎] 87a8duocmz.fsf@hope.eyrie.org>
References: <[🔎] CAPgP4gxcptXTNcEFb5Jf+SkAYPWSuXwRVAoiqmABG_+gDCdGYw@mail.gmail.com> <[🔎] 580CC7E3.2030301@debian.org> <[🔎] CAPgP4gwkkfhsfUMzGqT6AWqFnL7u2dazBvbj1ZPTpjQy0WTQeA@mail.gmail.com> <[🔎] 580CED6C.8070206@debian.org> <[🔎] 87lgxf3qo4.fsf_-_@violet.siamics.net> <[🔎] 87a8duocmz.fsf@hope.eyrie.org>

On Sun, Oct 23, 2016 at 4:43 PM, Russ Allbery <rra@debian.org> wrote:
> susceptible to traffic analysis.  You can make some pretty good guesses
> from the size of the object downloaded, particularly if you can watch over
> time and see what happens when updated packages are released.
>
> Of course, it's much harder than just passively reading the HTTP GET
> commands.  It probably requires someone write code to map object sizes to
> possible packages.

Correct. The point is that it may slightly increase the costs on
Debian and mirrors, but exponentially increase the cost for nation
state attackers. If you want to decrease the traffic analysis issues,
you can also support HTTP/2 (or QUIC udp/443 0-rtt in the future),
which will bundle resource requests intelligently within the same
connection and make traffic analysis a bit more complex / costly.

-- 
Regards,

Kristian Erik Hermansen
https://www.linkedin.com/in/kristianhermansen

Reply to:

References:
- Re: When should we https our mirrors?
  - From: Kristian Erik Hermansen <kristian.hermansen@gmail.com>
- client-side signature checking of Debian archives (Re: When should we https our mirrors?)
  - From: "Eugene V. Lyubimkin" <jackyf@debian.org>
- Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
  - From: Kristian Erik Hermansen <kristian.hermansen@gmail.com>
- Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
  - From: "Eugene V. Lyubimkin" <jackyf@debian.org>
- Re: client-side signature checking of Debian archives
  - From: Ivan Shmakov <ivan@siamics.net>
- Re: client-side signature checking of Debian archives
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
Next by Date: Re: client-side signature checking of Debian archives
Previous by thread: Re: client-side signature checking of Debian archives
Next by thread: Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
Index(es):
- Date
- Thread