Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)

To: Russ Allbery <rra@debian.org>
Cc: debian-devel@lists.debian.org
Subject: Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
From: Adrian Bunk <bunk@stusta.de>
Date: Tue, 25 Oct 2016 17:43:07 +0300
Message-id: <[🔎] 20161025144307.lbvqs5rfc664s6zu@bunk.spdns.de>
In-reply-to: <[🔎] 87k2cxiaoq.fsf@hope.eyrie.org>
References: <[🔎] CAPgP4gxcptXTNcEFb5Jf+SkAYPWSuXwRVAoiqmABG_+gDCdGYw@mail.gmail.com> <[🔎] 580CC7E3.2030301@debian.org> <[🔎] CAPgP4gwkkfhsfUMzGqT6AWqFnL7u2dazBvbj1ZPTpjQy0WTQeA@mail.gmail.com> <[🔎] 580CED6C.8070206@debian.org> <[🔎] 87oa2amqew.fsf@hope.eyrie.org> <[🔎] 20161024093354.er5mc6sp7w23f5ka@bunk.spdns.de> <[🔎] 8737jlk980.fsf@hope.eyrie.org> <[🔎] 20161024220509.yq72vjstnpoozc4i@bunk.spdns.de> <[🔎] 87k2cxiaoq.fsf@hope.eyrie.org>

On Mon, Oct 24, 2016 at 04:33:57PM -0700, Russ Allbery wrote:
> Adrian Bunk <bunk@stusta.de> writes:
>...
> > I would assume this can be pretty automated, and that by NSA standards
> > this is not a hard problem.
> 
> Since the entire exchange is encrypted, it's not completely trivial to map
> size of data transferred to a specific package (of course, it's even
> harder if we reuse connections).  But the point I'm making is more that
> it's not something that just falls out of an obvious surveillance
> technique that has wide-ranging uses.  It requires someone to write code
> to *specifically* target Debian mirrors, which I think is much less likely
> than just collecting all the data and deciding to analyze it afterwards.
>...

If I were looking at the apt traffic, the most interesting for me would 
be the traffic to security.debian.org that a computer running Debian 
stable usually produces.

Just collecting the data when and how much HTTPS traffic is happening 
should be sufficient to determine information like the following:
  What Debian release is running on that computer?
  Which security relevant packages are installed in that computer?
  Are security updates downloaded automatically or manually?
  In the latter case, are they installed in a timely manner?

When your adversary is powerful enough that he is capable of monitoring
your traffic with security.debian.org, then apt-transport-https is just 
snake oil.

The NSA might actually be very grateful that there are people who are 
promoting such snake oil as solution, since this lowers the probability 
of people looking for solutions that could make it harder for the NSA.

I would assume it is unlikely that the NSA is monitoring the connection 
between me and my nearest Debian mirror. This does of course depend on 
your geographical location.

I would assume it is likely that the NSA is monitoring the connection 
between me and security.debian.org.

By discouraging users from using mirrors for security.debian.org,
Debian is presenting a nearly complete list of all computers in
the world running Debian stable and their security update status
and policies on a silver plate to the NSA.

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Reply to:

Follow-Ups:
- Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
  - From: Russ Allbery <rra@debian.org>

References:
- Re: When should we https our mirrors?
  - From: Kristian Erik Hermansen <kristian.hermansen@gmail.com>
- client-side signature checking of Debian archives (Re: When should we https our mirrors?)
  - From: "Eugene V. Lyubimkin" <jackyf@debian.org>
- Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
  - From: Kristian Erik Hermansen <kristian.hermansen@gmail.com>
- Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
  - From: "Eugene V. Lyubimkin" <jackyf@debian.org>
- Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
  - From: Russ Allbery <rra@debian.org>
- Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
  - From: Adrian Bunk <bunk@stusta.de>
- Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
  - From: Russ Allbery <rra@debian.org>
- Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
  - From: Adrian Bunk <bunk@stusta.de>
- Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Bug#842054: ITP: node-expand-tilde -- Bash-like tilde expansion for node.js
Next by Date: Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
Previous by thread: Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
Next by thread: Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
Index(es):
- Date
- Thread