Re: client-side signature checking of Debian archives
On Sun, Oct 23, 2016 at 4:43 PM, Russ Allbery <email@example.com> wrote:
> susceptible to traffic analysis. You can make some pretty good guesses
> from the size of the object downloaded, particularly if you can watch over
> time and see what happens when updated packages are released.
> Of course, it's much harder than just passively reading the HTTP GET
> commands. It probably requires someone write code to map object sizes to
> possible packages.
Correct. The point is that it may slightly increase the costs on
Debian and mirrors, but exponentially increase the cost for nation
state attackers. If you want to decrease the traffic analysis issues,
you can also support HTTP/2 (or QUIC udp/443 0-rtt in the future),
which will bundle resource requests intelligently within the same
connection and make traffic analysis a bit more complex / costly.
Kristian Erik Hermansen