Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
"Eugene V. Lyubimkin" <email@example.com> writes:
> I'm not sure that benefits outweight the costs. HTTPS requires that I
> trust the third-parties -- mirror provider and CA. Gpgv doesn't require
> third parties.
It's critical here that we do not drop GPG. We continue using GPG for the
integrity and authentication part of package retrieval. If anyone has
proposed replacing the GPG signatures, well, I completely disagree with
The idea is to *add* HTTPS protection on top of the protections we already
have. You're correct that it doesn't give you authentication of the
packages without a bunch of work, and we should assume that the general
public CA system is compromised. But that actually doesn't matter much
for our purposes, since the point is to greatly increase the cost of
gathering data about what packages people have installed.
The value of HTTPS lies in its protection against passive snooping. Given
the sad state of the public CA infrastructure, you cannot really protect
against active MITM with HTTPS without certificate pinning. But that's
fine; active attackers are a much, much rarer attack profile. The most
likely attack, and the one we're able to protect against here, is passive
observation of mirror traffic used to build a database of who is using
what package and at what version. HTTPS doesn't *prevent* this, but it
requires the attacker to do much more sophisticated traffic analysis, or
take the *much* more expensive and *far* riskier step of moving to active
interference with traffic, neither of which nation-state attackers want to
do and neither of which they have the resources to do *routinely*.
It won't help if a nation-state actor is targeting you *in particular*.
But it helps immensely against dragnet surveillance.
Russ Allbery (firstname.lastname@example.org) <http://www.eyrie.org/~eagle/>