Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)

To: debian-devel@lists.debian.org
Subject: Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
From: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Date: Fri, 11 Nov 2016 08:22:19 +0100
Message-id: <[🔎] 1478820812@msgid.manchmal.in-ulm.de>
In-reply-to: <[🔎] 1478788780.1165057.783536337.5E8FEE85@webmail.messagingengine.com>
References: <CAPgP4gxcptXTNcEFb5Jf+SkAYPWSuXwRVAoiqmABG_+gDCdGYw@mail.gmail.com> <580CC7E3.2030301@debian.org> <CAPgP4gwkkfhsfUMzGqT6AWqFnL7u2dazBvbj1ZPTpjQy0WTQeA@mail.gmail.com> <580CED6C.8070206@debian.org> <87oa2amqew.fsf@hope.eyrie.org> <[🔎] 1478788780.1165057.783536337.5E8FEE85@webmail.messagingengine.com>

Henrique de Moraes Holschuh wrote...

> There are some relevant issues, here.
> 
> 1. It does protect against passive snooping *from non-skilled
> attackers*.

Well, yes, no. The tools become better so thinking a few years into
the future sophisticated programs for that purpose might be available to
everyone. Imagine there was a time before wireshark/ethereal, and how
much work pcap analysis was back then.

> 2. It is unknown how much it can protect against passive snooping from
> skilled attackers capable of passive TCP metadata slooping and basic
> traffic analysis *FOR* something like the Debian archive and APT doing
> an update run against the Debian archive

The logical answer is pretty obvious: Not at all. It's a question of
efforts required and my gut feelings tell me it's not very much.

> Do not dismiss (2). TLS is not really designed to be able to fully
> protect object retrieval from a *fully known* *static* object store
> against traffic metadata analysis.   And an apt update run would be even
> worse to protect, as the attacker can [after a small time window from
> the mirror pulse] fully profile the more probable object combinations
> that would be retrieved depending on what version of Debian the user
> has.

Things are worse: There's a small set of clients, and their request
behaviour is quite deterministic. Another snooping aid is usage of
pdiff.

In total, I was not surprised if just given the frame metadata
(direction, high-res timestamp, payload size) it was possible to restore
the actual data transmitted with high accurancy. Even a dget/apt-get
source should have a pretty unique pattern; and I feel tempted to create
a proof of concept for all this (I can resist, though). The apt programs
could obfuscate their request behaviour, the TLS layer could add random
padding of data and time, but I doubt this would help much.

Another "wasn't surprised", applicances might already have that. If not,
the vendors could implement this easily.

> Now, hopefully I got all of that wrong and someone will set me straight.
>  It would make me sleep better at night...

Sorry Dorothy.

    Christoph

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

References:
- Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

Prev by Date: Bug#843952: ITP: node-grunt-legacy-util -- Some old grunt utils provided for backwards compatibility
Next by Date: Bug#843955: ITP: node-grunt-legacy-log -- The Grunt 0.4.x logger
Previous by thread: Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
Next by thread: Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
Index(es):
- Date
- Thread