Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
Hi Russ, Kristian,
On 24.10.2016 07:19, Kristian Erik Hermansen wrote:
> On Sun, Oct 23, 2016 at 7:28 PM, Russ Allbery <email@example.com> wrote:
>> The idea is to *add* HTTPS protection on top of the protections we already
>> have. You're correct that it doesn't give you authentication of the
>> packages without a bunch of work, and we should assume that the general
>> public CA system is compromised. But that actually doesn't matter much
>> for our purposes, since the point is to greatly increase the cost of
>> gathering data about what packages people have installed.
>> The value of HTTPS lies in its protection against passive snooping. Given
> Exactly! Much better said than how I originally phrased these issues.
>> what package and at what version. HTTPS doesn't *prevent* this, but it
>> requires the attacker to do much more sophisticated traffic analysis, or
>> take the *much* more expensive and *far* riskier step of moving to active
>> interference with traffic, neither of which nation-state attackers want to
>> do and neither of which they have the resources to do *routinely*.
>> It won't help if a nation-state actor is targeting you *in particular*.
>> But it helps immensely against dragnet surveillance.
> Again, exactly right and well stated. We can never stop targeted
> attacks, but we can make passive data collection more expensive and
> increase the chances that a targeted attack is detected.
Yes, thank you for explanations, I now get the point of improving more confidentiality than integrity here, and warding
off most of passive data gatherers.