Re: Q: Use https for {deb,security}.debian.org by default

To: debian-devel@lists.debian.org
Subject: Re: Q: Use https for {deb,security}.debian.org by default
From: Jeremy Stanley <fungi@yuggoth.org>
Date: Fri, 20 Aug 2021 14:17:04 +0000
Message-id: <[🔎] 20210820141703.xq3qmqaltoknox7d@yuggoth.org>
In-reply-to: <[🔎] 87bl5sh2za.fsf@miraculix.mork.no>
References: <[🔎] 20210819223820.fb4a3f7ab23da92a685fe4ce@iijmio-mail.jp> <[🔎] 5790d751-dda8-fab6-601d-ebd8e30433c5@hogyros.de> <[🔎] bb4cdd0c-5490-90b1-1035-53bb42ac4ead@kitware.com> <[🔎] 20210819221132.svidlgyghjfz7qjb@yuggoth.org> <[🔎] 87bl5sh2za.fsf@miraculix.mork.no>

On 2021-08-20 11:36:41 +0200 (+0200), Bjørn Mork wrote:
> Jeremy Stanley <fungi@yuggoth.org> writes:
> 
> > While this does complicate it, a snooping party can still know the
> > site they're connecting to via SNI happening unencrypted,
> 
> I believe this can be fixed with TLS 1.3?
> 
> > and packet sizes/pacing likely give away which pages or files are
> > being retrieved based on their length.
> 
> Yes, probably looking into territory where you'd not want to directly
> access any public service at all here..
> 
> > And that's not even getting into
> > how "trusted" certificate authorities give away certificates for any
> > hostname if your MitM knows the right people,
> 
> Debian is among the few who publish TLSA records (DANE).  Which is still
> pretty useless for normal web srvices since the major browser vendors
> refuse to support it.  But TLSA validation could easily be implemented
> in apt-transport-https. Maybe it is?  That would prevent this problem.
> 
> > and CDNs are now in
> > the business of snooping on everyone's traffic for sites where they
> > handle SSL/TLS termination. HTTPS as deployed on the open Internet
> > is a sip of security with several gulps of theater.
> 
> Not much to do if you don't trust your own servers, whether they are CDN
> frontends or whatever.

I agree with all of the above, my point was that the current state
of HTTPS doesn't especially improve integrity for Debian package
management over the signed indices and checksums we already rely on,
and trying to use HTTPS for privacy/secrecy (which isn't really what
it was designed for) is still and perhaps even increasingly
misguided. Of course lots of people will continue to expect magic
HTTPS fairy dust to protect them and ward off evil, but the only
legitimate reason I can see for Debian changing the default protocol
for sources.list entries is to avoid having to pointlessly debate
the minimal benefits of HTTPS with people who drink whatever
cool-aid they're told by security "experts" (HTTP bad, HTTPS good,
drink up!).
-- 
Jeremy Stanley

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Russ Allbery <rra@debian.org>

References:
- Q: Use https for {deb,security}.debian.org by default
  - From: Hideki Yamane <henrich@iijmio-mail.jp>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Simon Richter <sjr@debian.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Kyle Edwards <kyle.edwards@kitware.com>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Jeremy Stanley <fungi@yuggoth.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Bjørn Mork <bjorn@mork.no>

Prev by Date: Re: merged /usr vs. symlink farms
Next by Date: Re: Q: Use https for {deb,security}.debian.org by default
Previous by thread: Re: Q: Use https for {deb,security}.debian.org by default
Next by thread: Re: Q: Use https for {deb,security}.debian.org by default
Index(es):
- Date
- Thread