Re: When should we https our mirrors?
On Mon, Oct 24, 2016 at 1:59 AM, Adrian Bunk <firstname.lastname@example.org> wrote:
> It is a common misconception that https could help against these kinds
> of attacks.
> https is an improvement over http and it would be good if Debian could
> switch to https by default in stretch, but for the problem you are
> talking about it does not really make a difference.
> https can obfuscate the traffic enough that a casual observer
> has problems determining what exactly is being transferred.
> If someone like the NSA is analyzing all your traffic, then the
> information when and how much data gets transferred should be
> sufficient to deduce exactly the information you are worried about.
The point is to make passive analysis more costly to do so. If they
have to assign a probability and it takes exponentially more resources
than simply "save PCAP to disk", then HTTPS has improved the
situation. And again, HTTP/2 can also help to obscure that analysis.
Right now, I only see three Debian mirrors that support HTTP/2 and
they are all in Chinese-speaking locales.
> apt-transport-tor is the only option that has a realistic chance of
> helping you, unless you want to run a mirror of Debian in your network.
> Anyone who is seriously worried about these issues and has a clue about
> security will end up doing something like that.
Yes and it is the default in Tails OS. However, it would be prudent to
include a secure default option for everyone else that utilizes Debian
in the future.
> For the kind of attacks you are describing, https is just snake oil.
Profusely disagree and so do other members of this list. I'll leave it
at that, but also I should point out that your email is being routed
insecurely via welho.com and lacks TLS in transit, so I also probably
shouldn't consider your TLS knowledge very highly...
Kristian Erik Hermansen