[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: When should we https our mirrors?

On Mon, Oct 24, 2016 at 04:00:49AM -0700, Kristian Erik Hermansen wrote:
> On Mon, Oct 24, 2016 at 1:59 AM, Adrian Bunk <bunk@stusta.de> wrote:
> but also I should point out that your email is being routed
> insecurely via welho.com and lacks TLS in transit, so I also probably
> shouldn't consider your TLS knowledge very highly...

Your incorrect claims won't become better by personal attacks against me.

What would TLS protect against when sending an email to a public
mailing list?

The contents (including all headers) is anyway public, and if either
of us was worried about someone modifying the contents of the email
he would add a signature.

> > It is a common misconception that https could help against these kinds
> > of attacks.
> >
> > https is an improvement over http and it would be good if Debian could
> > switch to https by default in stretch, but for the problem you are
> > talking about it does not really make a difference.
> >
> > https can obfuscate the traffic enough that a casual observer
> > has problems determining what exactly is being transferred.
> >
> > If someone like the NSA is analyzing all your traffic, then the
> > information when and how much data gets transferred should be
> > sufficient to deduce exactly the information you are worried about.
> The point is to make passive analysis more costly to do so. If they
> have to assign a probability and it takes exponentially more resources
> than simply "save PCAP to disk", then HTTPS has improved the
> situation.

Against someone like the NSA the improvement is pretty marginal,
and I doubt it would increase the work they have to do much.

Encrypting the contents doesn't help much when you can deduce the 
contents from the timing and amount of the transfers.

Your claims that using https for that purpose would give any kind of 
protections against actors like the NSA are just snake oil.

Pretty dangerous snake oil, if someone ends up believing what you wrote  
instead of using a proper solution like apt-transport-tor.

Debian is an Open Source project, and the only way you can improve 
anything is by doing work yourself - if all you are doing is producing 
hot air, you will achieve nothing.

People have already pointed out several areas where work needs to be 
done for using https by default, and if this is important for you there 
is for example nothing stopping you from starting to work right now on 
improving the https transport in apt.

Or you could prove that it is actually not that important for you by 
doing no development work for that.

Noone is arguing that switching to https would be a bad thing,
but whether or not it will happen depends solely on whether or
not people like you will do the work to make it happen.

> Regards,



       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Reply to: