Re: Encrypted repos (https/ftps)

To: 750522@bugs.debian.org, debian-mirrors@lists.debian.org
Cc: Kurt Roeckx <kurt@roeckx.be>
Subject: Re: Encrypted repos (https/ftps)
From: DNS <dns@88it.de>
Date: Sun, 19 Oct 2014 19:36:00 +0200
Message-id: <[🔎] 5443F680.8070007@88it.de>
In-reply-to: <[🔎] 20141018200121.GA29156@roeckx.be>
References: <[🔎] 543829E8.4000000@88it.de> <[🔎] 20141010195040.GA13791@roeckx.be> <[🔎] 20141010195903.GR11748@phys.ethz.ch> <[🔎] 20141018200121.GA29156@roeckx.be>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I wonder a bit, i currently see not the single downloads only the
complete download of all files when using https.
Does this doesn't matter? Or better said: Is it still possible that it
leaks the single file sizes like that?
And if it leaks the file sizes how easy/hard is this to know the actual
file names which have been downloaded?

Regards

On 18.10.2014 22:01, Kurt Roeckx wrote:
> On Fri, Oct 10, 2014 at 09:59:03PM +0200, Axel Beckert wrote:
>> Hi Kurt,
>>
>> Kurt Roeckx wrote:
>>>> The issue is that our ISPs can see the names of the packages that we
>>>> download, and i don't think anybody needs to see that. With encrypted
>>>> connections this issue would be solved.
>>>
>>> Encrypting it will not solve that.  It will only make it slightly
>>> harder.
>>
>> In don't why that should make it only slightly harder. Please explain.
>
> Because it leaks things like the size of all the packages you're
> downloading.  apt doesn't do pipelining.
>
>
> Kurt
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUQ/Z9AAoJEIuhUod3cZQFzXwP/3b/M8A8YVsUm2JcYHb3uDbx
LsUK1DJxP01QFjCvmoI/cnMibZd3AKFh2c65fjxG4b8njKA3+0isjBXKfb2ktB6U
wAMgwJAoQfbkPwyM5Zbmww8q0dy5GqdPiBNzTdn3Bsf8MWKdsQmsxrjHM7B3qnBT
3TxShbZpczeOb4jkyUnGWPnMHImQK5p0A/0x5qo6NoNu+kZvda5Ob3fLq6q9pUq6
dp+Pyce+Lp0g4IBlNLarEvrckSrwVVZGzKVINBwd9B+52eYBOUcW9y7dtUjWXcvu
L2QKaPfsZRqt+cdYJ80ks7aW4MEVBv352SRa9LIMMdOJ/1wpT4Z6W5oJwKep/CBb
usytMyKuZ/211Jx3UZAyBUUl9BmhZr4m9lrxhK1gVTeoO6rzWW7z77ir/aKbumGO
0Xs6JgUCRdKgxxJGAMS82j6EsYYq/k5BXQWn4Yxs+bCaBXedcxsDiqcoaTpYBhX4
HGdHT9lK2y4Kv4lnufZw47iNpjr4LEeYoHdhPrfUPVgnTco+HsWkSBERJf9vCNfV
p+OThbe83FsnOce3O1F8R3yRnFPo1ZO4vXA3X1Cavw9tPokDIR+/lbIsVI2Gn9Zn
eCZdogLRzxPp76yzb2RUtKFAW3ajqjuigrX6j/cs0OVXGPYB4jw0AFRVm/1hjxj4
nGqG/PX0y2Ccf0lSJ7KD
=c8kw
-----END PGP SIGNATURE-----

Reply to:

References:
- Encrypted repos (https/ftps)
  - From: DNS <dns@88it.de>
- Re: Encrypted repos (https/ftps)
  - From: Kurt Roeckx <kurt@roeckx.be>
- Re: Encrypted repos (https/ftps)
  - From: Axel Beckert <abe@debian.org>
- Re: Encrypted repos (https/ftps)
  - From: Kurt Roeckx <kurt@roeckx.be>

Prev by Date: Re: Encrypted repos (https/ftps)
Next by Date: Re: Encrypted repos (https/ftps)
Previous by thread: Re: Encrypted repos (https/ftps)
Next by thread: Re: Encrypted repos (https/ftps)
Index(es):
- Date
- Thread