Re: Repository Link are NOT https://

To: tom <public-prv@mailueberfall.de>
Cc: debian-project@lists.debian.org
Subject: Re: Repository Link are NOT https://
From: Russ Allbery <rra@debian.org>
Date: Thu, 03 Sep 2015 17:03:11 -0700
Message-id: <[🔎] 87pp1zqce8.fsf@hope.eyrie.org>
In-reply-to: <[🔎] 55E87DD9.1000508@mailueberfall.de> (tom's message of "Thu, 3 Sep 2015 19:05:29 +0200")
References: <[🔎] 55E87DD9.1000508@mailueberfall.de>

tom <public-prv@mailueberfall.de> writes:

> I have discovered that non of the repository links is https:// . Is it
> not safer to use only https:// connections.

> And as well the download of a debian distro is only http:// .

> Sorry to say that but nearly all other distros used for the downlaod
> link https:// . But as repository links they all used only http://
> connections like debian.

It doesn't matter for the integrity of the packages.  APT does a much
stronger validation via a public key signature and doesn't rely on
transport security at all.

It does potentially matter as a source of information leakage, since it
allows others to know what packages you're downloading to your host.
Unfortunately, it's hard for us to deploy a consistent certificate through
our entire mirror network, so it's a bit of a challenge to enable TLS for
package downloads.  It's also not clear that encrypting the package
download channel actually buys you much in terms of privacy, since an
attacker can still do quite a lot by correlating the amount of traffic
with the sizes of packages.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: Repository Link are NOT https://
  - From: Vincent Bernat <bernat@debian.org>

References:
- Repository Link are NOT https://
  - From: tom <public-prv@mailueberfall.de>

Prev by Date: Re: Repository Link are NOT https://
Next by Date: Re: Repository Link are NOT https://
Previous by thread: Re: Repository Link are NOT https://
Next by thread: Re: Repository Link are NOT https://
Index(es):
- Date
- Thread