Re: When should we https our mirrors?

[Adrian Bunk <bunk@stusta.de>]

On Sun, Oct 23, 2016 at 06:04:50AM -0700, Kristian Erik Hermansen wrote:
>...
> The main issue is that a well positioned attacker, such as the NSA or
> Chinese router admins, have the ability to collect and analyze in
> real-time what systems have installed what patches installed by
> monitoring the historical / real-time patch requests downloaded to
> Debian systems.
>...

It is a common misconception that https could help against these kinds 
of attacks.

https is an improvement over http and it would be good if Debian could  
switch to https by default in stretch, but for the problem you are 
talking about it does not really make a difference.

https can obfuscate the traffic enough that a casual observer
has problems determining what exactly is being transferred.

If someone like the NSA is analyzing all your traffic, then the 
information when and how much data gets transferred should be
sufficient to deduce exactly the information you are worried about.

apt-transport-tor is the only option that has a realistic chance of 
helping you, unless you want to run a mirror of Debian in your network. 
Anyone who is seriously worried about these issues and has a clue about 
security will end up doing something like that.

For the kind of attacks you are describing, https is just snake oil.

> Regards,

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed