(Disclaimer: I am a maintainer of apt-transport-tor… but also of -https and apt itself, so I am biased beyond hope in this matter) On Sun, Oct 23, 2016 at 07:20:35PM -0700, Russ Allbery wrote: > Paul Wise <pabs@debian.org> writes: > > On Mon, Oct 24, 2016 at 7:21 AM, Kristian Erik Hermansen wrote: > >> The point is to improve privacy. > > > Better privacy than https can be had using Tor: > > > https://onion.debian.org/ > > Yeah, but this is *way* harder than just using TLS. You get much of the > benefit by using TLS, and Tor comes with a variety of mildly problematic TLS doesn't give you a lot of privacy in the context of Debian mirrors. The traffic analyse Russ has hinted at is one thing, but the biggest privacy issue is actually that you are a Debian user – and that is communicated in the clear regardless of using HTTPS or not e.g. if you connect to security.debian.org. Keeping track of then you connect to figure out how long it takes you to react to DSAs isn't exactly hard either. Would it be interesting to know which packages you install? Maybe if I am really interested in you as it takes ages to get to know all your packages (if you don't happen to do an upgrade to a new major release), but as the average evil doer I know more than enough already: Your IP and that you are likely suspect to recent exploits for at least a few minutes still. That should be enough to add you to my botnet… (or lets imagine something "less scary": The bar you are in offering a special two-for-one-beer for Debian users "out of nowhere"…). > side effects (speed issues, Maybe its just me being lucky, but speed seems not to be an issue for me for apt via Tor. Okay, the initial connect takes slightly longer, but after that is done apts (tor+)http method with its support of pipelining is actually perfectly capable of maxing out my connection (regardless of onion or "normal" mirrors I am connecting to) in most cases. > rather more complicated to set up and keep > going for the average person, No. For the average user its a matter of installing apt-transport-tor and changing sources.list [if you have ideas/patches to enhance this further feel free to contact us]. You have to do the same for https. You don't have to go all Tor for everything at once… (okay, it gets tricky perhaps if your network is blocking connection to known Tor nodes at which point you need bridges, but the same network could forbid [non-MITM] HTTPS, so that argument isn't super strong) Operating an onion service is a different matter of course, but your average person isn't very likely to setup a good http (or https) mirror either and you don't absolutely need an onion service. Your usual http will do. Sure, all-knowing traffic analyse will be capable of perhaps figuring out what you do in that case, but that chance is a lot lower the more traffic is routed through the Tor network and the information that you are a Debian user isn't clearly written on your connection… (Your are trading it in for "Tor user" which might or might not be a better label to have at the moment, but given that we are talking about people out there trying to get you they probably don't need additional incentive…) That said, sure, having https would be cool against the casual MITM like these pesky login-before-you-can-use-our-free-internet portals, but we already know that. We don't need yet another person coming here and trying to convince us that HTTPS is the magic bullet we have all been waiting for because it isn't. Various people have said for various teams already which technical challenges need to be solved before we can seriously think about rolling out https on a broad scale and as usual the problems aren't fixing themselves if only we talk long enough about them… Best regards David Kalnischkies
Attachment:
signature.asc
Description: PGP signature