Re: When should we https our mirrors?
On Mon, Oct 24, 2016 at 1:59 AM, Adrian Bunk <bunk@stusta.de> wrote:
> It is a common misconception that https could help against these kinds
> of attacks.
>
> https is an improvement over http and it would be good if Debian could
> switch to https by default in stretch, but for the problem you are
> talking about it does not really make a difference.
>
> https can obfuscate the traffic enough that a casual observer
> has problems determining what exactly is being transferred.
>
> If someone like the NSA is analyzing all your traffic, then the
> information when and how much data gets transferred should be
> sufficient to deduce exactly the information you are worried about.
The point is to make passive analysis more costly to do so. If they
have to assign a probability and it takes exponentially more resources
than simply "save PCAP to disk", then HTTPS has improved the
situation. And again, HTTP/2 can also help to obscure that analysis.
Right now, I only see three Debian mirrors that support HTTP/2 and
they are all in Chinese-speaking locales.
mirrors.tuna.tsinghua.edu.cn
mirrors.ustc.edu.cn
shadow.ind.ntou.edu.tw
> apt-transport-tor is the only option that has a realistic chance of
> helping you, unless you want to run a mirror of Debian in your network.
> Anyone who is seriously worried about these issues and has a clue about
> security will end up doing something like that.
Yes and it is the default in Tails OS. However, it would be prudent to
include a secure default option for everyone else that utilizes Debian
in the future.
> For the kind of attacks you are describing, https is just snake oil.
Profusely disagree and so do other members of this list. I'll leave it
at that, but also I should point out that your email is being routed
insecurely via welho.com and lacks TLS in transit, so I also probably
shouldn't consider your TLS knowledge very highly...
--
Regards,
Kristian Erik Hermansen
https://www.linkedin.com/in/kristianhermansen
Reply to: