Re: When should we https our mirrors?
On Mon, Oct 24, 2016 at 04:00:49AM -0700, Kristian Erik Hermansen wrote:
> On Mon, Oct 24, 2016 at 1:59 AM, Adrian Bunk <bunk@stusta.de> wrote:
> but also I should point out that your email is being routed
> insecurely via welho.com and lacks TLS in transit, so I also probably
> shouldn't consider your TLS knowledge very highly...
Your incorrect claims won't become better by personal attacks against me.
What would TLS protect against when sending an email to a public
mailing list?
The contents (including all headers) is anyway public, and if either
of us was worried about someone modifying the contents of the email
he would add a signature.
> > It is a common misconception that https could help against these kinds
> > of attacks.
> >
> > https is an improvement over http and it would be good if Debian could
> > switch to https by default in stretch, but for the problem you are
> > talking about it does not really make a difference.
> >
> > https can obfuscate the traffic enough that a casual observer
> > has problems determining what exactly is being transferred.
> >
> > If someone like the NSA is analyzing all your traffic, then the
> > information when and how much data gets transferred should be
> > sufficient to deduce exactly the information you are worried about.
>
> The point is to make passive analysis more costly to do so. If they
> have to assign a probability and it takes exponentially more resources
> than simply "save PCAP to disk", then HTTPS has improved the
> situation.
>...
Against someone like the NSA the improvement is pretty marginal,
and I doubt it would increase the work they have to do much.
Encrypting the contents doesn't help much when you can deduce the
contents from the timing and amount of the transfers.
Your claims that using https for that purpose would give any kind of
protections against actors like the NSA are just snake oil.
Pretty dangerous snake oil, if someone ends up believing what you wrote
instead of using a proper solution like apt-transport-tor.
Debian is an Open Source project, and the only way you can improve
anything is by doing work yourself - if all you are doing is producing
hot air, you will achieve nothing.
People have already pointed out several areas where work needs to be
done for using https by default, and if this is important for you there
is for example nothing stopping you from starting to work right now on
improving the https transport in apt.
Or you could prove that it is actually not that important for you by
doing no development work for that.
Noone is arguing that switching to https would be a bad thing,
but whether or not it will happen depends solely on whether or
not people like you will do the work to make it happen.
> Regards,
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
Reply to: