[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: client-side signature checking of Debian archives

(Disclaimer: I am a maintainer of apt-transport-tor… but also of
-https and apt itself, so I am biased beyond hope in this matter)

On Sun, Oct 23, 2016 at 07:20:35PM -0700, Russ Allbery wrote:
> Paul Wise <pabs@debian.org> writes:
> > On Mon, Oct 24, 2016 at 7:21 AM, Kristian Erik Hermansen wrote:
> >> The point is to improve privacy.
> > Better privacy than https can be had using Tor:
> > https://onion.debian.org/
> Yeah, but this is *way* harder than just using TLS.  You get much of the
> benefit by using TLS, and Tor comes with a variety of mildly problematic

TLS doesn't give you a lot of privacy in the context of Debian mirrors.
The traffic analyse Russ has hinted at is one thing, but the biggest
privacy issue is actually that you are a Debian user – and that is
communicated in the clear regardless of using HTTPS or not e.g. if you
connect to security.debian.org. Keeping track of then you connect to
figure out how long it takes you to react to DSAs isn't exactly hard
either. Would it be interesting to know which packages you install?
Maybe if I am really interested in you as it takes ages to get to know
all your packages (if you don't happen to do an upgrade to a new major
release), but as the average evil doer I know more than enough already:
Your IP and that you are likely suspect to recent exploits for at least
a few minutes still. That should be enough to add you to my botnet… (or
lets imagine something "less scary": The bar you are in offering
a special two-for-one-beer for Debian users "out of nowhere"…).

> side effects (speed issues,

Maybe its just me being lucky, but speed seems not to be an issue for me
for apt via Tor. Okay, the initial connect takes slightly longer, but
after that is done apts (tor+)http method with its support of pipelining
is actually perfectly capable of maxing out my connection (regardless of
onion or "normal" mirrors I am connecting to) in most cases.

> rather more complicated to set up and keep
> going for the average person,

No. For the average user its a matter of installing apt-transport-tor
and changing sources.list [if you have ideas/patches to enhance this
further feel free to contact us]. You have to do the same for https.
You don't have to go all Tor for everything at once…

(okay, it gets tricky perhaps if your network is blocking connection to
known Tor nodes at which point you need bridges, but the same network
could forbid [non-MITM] HTTPS, so that argument isn't super strong)

Operating an onion service is a different matter of course, but your
average person isn't very likely to setup a good http (or https) mirror
either and you don't absolutely need an onion service. Your usual http
will do. Sure, all-knowing traffic analyse will be capable of perhaps
figuring out what you do in that case, but that chance is a lot lower
the more traffic is routed through the Tor network and the information
that you are a Debian user isn't clearly written on your connection…
(Your are trading it in for "Tor user" which might or might not be
a better label to have at the moment, but given that we are talking
about people out there trying to get you they probably don't need
additional incentive…)

That said, sure, having https would be cool against the casual MITM like
these pesky login-before-you-can-use-our-free-internet portals, but we
already know that. We don't need yet another person coming here and
trying to convince us that HTTPS is the magic bullet we have all been
waiting for because it isn't. Various people have said for various teams
already which technical challenges need to be solved before we can
seriously think about rolling out https on a broad scale and as usual
the problems aren't fixing themselves if only we talk long enough about

Best regards

David Kalnischkies

Attachment: signature.asc
Description: PGP signature

Reply to: