[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Request for I2P access from those hosting a debian mirror



Axel, thanks for the reply.

>Since I2P is not yet[1] available in Debian, the chances for this are low.

I understand. But aren't the mirrors voluntarily ran? Wouldn't it be up to
them to run such a service if they decided to?

>[1] https://bugs.debian.org/448638

Looks like killyourtv has some I2P packages for debian that work. I think
he also manages the Tails I2P package.

> There's though apt-transport-tor, an APT transport for anonymous package
downloads via Tor, which has similar goals and will be available in the
next Debian Stable release expected in spring.

That is a nice feature. I see a few minor problems however.
Tor is not designed by default to make end to end encrypted connections
between clients and servers, at least not without server configuration
such as hosting an onion service. Alternatively the server might allow
https, which is good for privacy but seeing as the software is checked in
apt regardless it is really not a vast security improvement. The HTTPS
requires paying a certificate authority to validate and sign the
repositories cert, it also requires the users trust the certificate
authorities are not compromised by exploit or secret laws.

>Additionally, apt-transport-tor doesn't need any modifications on the
server side.

Which I agree is extremely nice. But hear me out, a system that drops its
encryption one hop before connecting to the server is far more transparent
to traffic logging. Combine that with what we know of ISPs logging of
users traffic it doesn't (in my mind) compete with true end to end
encryption. The Tor+HTTPS solution relies on the third party of
certificate authorities, which we cannot be sure are not compromised,
moreover they cost the servers money to obtain. A solution that is ran
freely and designed from the outset to be encrypted end to end would mean
eavesdroppers would be stuck with traffic analysis of encrypted traffic
alone, assuming they couldn't compromise the server or client at the ends.

I am asking for some of the repository operators to consider and perhaps
research what it would take to host an I2P tunnel to their mirror.

Thanks for your time.


Reply to: