Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)

To: Adrian Bunk <bunk@stusta.de>
Cc: Russ Allbery <rra@debian.org>, debian-devel@lists.debian.org
Subject: Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
From: Kristian Erik Hermansen <kristian.hermansen@gmail.com>
Date: Mon, 24 Oct 2016 04:25:20 -0700
Message-id: <[🔎] CAPgP4gzb_Oj3F70xY+exa8qEAbn7DFTqaE1gfJKoNEMavH+_Fw@mail.gmail.com>
In-reply-to: <[🔎] 20161024093354.er5mc6sp7w23f5ka@bunk.spdns.de>
References: <[🔎] CAPgP4gxcptXTNcEFb5Jf+SkAYPWSuXwRVAoiqmABG_+gDCdGYw@mail.gmail.com> <[🔎] 580CC7E3.2030301@debian.org> <[🔎] CAPgP4gwkkfhsfUMzGqT6AWqFnL7u2dazBvbj1ZPTpjQy0WTQeA@mail.gmail.com> <[🔎] 580CED6C.8070206@debian.org> <[🔎] 87oa2amqew.fsf@hope.eyrie.org> <[🔎] 20161024093354.er5mc6sp7w23f5ka@bunk.spdns.de>

On Mon, Oct 24, 2016 at 2:33 AM, Adrian Bunk <bunk@stusta.de> wrote:
> You are implicitely assuming that mirrors can be trusted,
> and even that is not true.

No, not actually. Just presuming that NSA doesn't operate ALL mirrors.
Of course they can operate single servers or a number of servers, but
that increases costs and makes it harder to passively collude against
ALL users.

> Who is operating ftp.cn.debian.org, and who has access to the logfiles
> on that server?
>
> Debian would accept debian.nsa.gov as mirror, and the NSA might already
> operate or have access at some current mirrors.

Right, but that's a much smaller subset of ALL.

> When a nation-state actor analyzes all the traffic on a network
> connection that also happens to carry the traffic between you and
> the Debian mirror you are using, HTTPS won't make a difference.

If it doesn't make a difference, send me a PCAP of all your private
traffic captured from an intermediary node :) I mean, if you don't
seem to care, you won't mind me looking through your stuff. And I also
encourage you to configure your browsers and email clients to utilize
only plaintext HTTP / SMTP / IMAP / POP, perhaps on public wifi too,
so we can all read it. You know, I mean, if it "doesn't make a
difference to you" if you use HTTP or HTTPS or other unencrypted
protocols. The reason it matters so much with SecureAPT is because
these are critical protocols running with root privileges on your
system and are leaking a large amount of data about your system
configuration and the security of it. I don't think I need to belabor
that point. HTTPS does make a huge difference and the entire Internet
would not be using it if "didn't make a difference".

We can probably end the thread here because numerous respected @debian
contributors have confirmed the issues with confidentiality and seem
to making efforts in that direction (hopefully for the next release).

-- 
Regards,

Kristian Erik Hermansen
https://www.linkedin.com/in/kristianhermansen

Reply to:

References:
- Re: When should we https our mirrors?
  - From: Kristian Erik Hermansen <kristian.hermansen@gmail.com>
- client-side signature checking of Debian archives (Re: When should we https our mirrors?)
  - From: "Eugene V. Lyubimkin" <jackyf@debian.org>
- Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
  - From: Kristian Erik Hermansen <kristian.hermansen@gmail.com>
- Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
  - From: "Eugene V. Lyubimkin" <jackyf@debian.org>
- Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
  - From: Russ Allbery <rra@debian.org>
- Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
  - From: Adrian Bunk <bunk@stusta.de>

Prev by Date: Re: When should we https our mirrors?
Next by Date: Re: client-side signature checking of Debian archives
Previous by thread: Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
Next by thread: Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
Index(es):
- Date
- Thread