Re: Possibly moving Debian services to a CDN
]] Ingo Jürgensmann
> Am 14.10.2013 um 07:29 schrieb Tollef Fog Heen <firstname.lastname@example.org>:
> > - I would like us to have agreements with any donors that they're not
> > allowed to use the information for anything but operational issues. We
> > can't tell them not to log (because that's really hard on a technical
> > level), but we can restrict what they can do with the logs.
> True. You can request agreements, but as the whole NSA affair is
> showing: it doesn't matter when it comes down to NSA & Co. There are
> secret courts with secret decisions and National Security Letters for
> silencing the providers, although internal agreements like Safe Harbor
> do exist.
> So, whereas agreements can be made, there will be no way for Debian to control whether they are being held or not.
I'm fundamentally of the opinion that if the NSA or a similar
organisation wants to track you and is willing to expend that effort on
tracking you in particular, there is just about nothing you can do about
it. As you note, we can't actually control it, just like we can't do it
today, so the difference becomes «lots of mirrors, vulnerable to smaller
attackers, but hard to coordinate MITM-ing» vs «fewer mirrors/CDN nodes,
requires more effort from attackers, easier to MITM». I don't think it
makes that much of a difference in terms of cost if the attacker has
that many resources and is willing to expend the effort. It seems you
disagree, and I don't really see us agreeing here, as it's a question of
tradeoffs and you weigh your tradeoffs differently than I do.
> >> 2) Integrity concerns: although Debian uses signed package lists and
> >> hashed packages, using a CDN would raise the chances that there might
> >> be attack vectors by manipulating the traffic. Maybe not be the will
> >> of the running company, but there are other groups that might have
> >> interest and the power to intercept traffic and manipulating it. This
> >> is, of course, also true to current mirror sites, but a centralized
> >> CDN will be more convenient to such kind of attackers.
> > Given we don't use HTTPs and such today, you don't know if the traffic
> > is actually going to the mirror you think it's going to, so this isn't
> > really different from today. With a CDN we could actually push more of
> > the traffic to HTTPS if we wanted. This isn't feasible with today's
> > mirror network.
> That's a valid point of you, thanks! The use of HTTPS should be
> encouraged, of course. How would HTTPS with a CDN work? I would
> believe that the CDN provider will use some kind of SSL proxy or SSL
> interception techniques. Otherwise you would have the same problems
> with managing HTTPS with the current mirror network.
> There are probably these possible ways:
> a) CDN provides an HTTPS entry point, but connects to the underlying mirror by plain HTTP.
> b) CDN uses DPI and SSL interception to break end-to-end encryption
You upload your cert and key to the CDN, which then does HTTPS to the
client. Whether they do HTTPS to the backend or not depends on the
CDN. I know at least some do.
> Anyway, I think the discussion about using a CDN is not about technical aspects, but it's a political debate that needs to b
> held and finally a political decision have to made whether Debian as a
> Free/Libre Software project/distribution wants to use a CDN and accept
> the risks that come with that or not.
Right, there are technical hurdles we need to overcome. If we can't
overcome those in a reasonable fashion, the whole exercise becomes
> Personally I believe, that using a CDN would make live of DSA more
> easier (you wrote something in a different mail today that current CDN
> breaks on a weekly basis. Can you elaborate this, maybe on wiki.d.o?)
> and it might be easier for users.
The breakage I'm seeing is from apt-get update failing on various hosts
around the world. It's usually fine if it's retried 5s later. And yes,
the goal here is to free up volunteer time as well as get a better
experience for the end user.
> OTOH I have great privacy concerns of using a CDN. And when the
> current mirror network will still be maintained, where's the benefit
> for DSA and the users then at all? Having freedom of choice is always
> good, so I'd be fine with keeping current mirror network, but having a
> cdn.debian.org in parallel. When doing fresh installations people
> should be made aware of privacy concerns when using the CDN (like:
> "Using a CDN might be easier and faster for you, but Debian doesn't
> control the CDN and cannot guarantee privacy and data protection").
That implies we can guarantee privacy and data protection for other
mirrors, which we can't.
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are