[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: No port 443 (https) available at "security.debian.org"-repository

On Tue, Jul 25, 2017 at 09:56:41PM +0100, Chris Lamb wrote:
> > your repositories on "debian.org" (especially "http://security.debian.org/";
> > !!) are not!
> The files are cryptographically signed which guarantees
> they haven't been tampered with in transit (modulo replay
> attacks which are handled in a different way).
> The only thing adopting might provide would be some quasi-
> anonymity with regards to which packages you are downloading
> but even that is doubtful since the package sizes themselves
> are very revealing.

Lemme elaborate upon what Chris said:

https provides no protection against targetted attacks by government agents. 
The CA cartel model consists of 400+ CAs, many of them outright controlled
by governments, most of the rest doing what they're told (no, warrants are
are a story for nice kids).  Clients in general trust _any_ CA, which means
you're only as secure as the worst CA.  Ie, https protects you against Joe
Script Kiddie but not against a capable opponent.

Since we control apt, it'd be possible to pin the certificates of certain
mirrors, but that'd be error-prone and probably not worth the hassle.

For regular websites, even CA-model https makes untargetted dragnet
surveillance prohibitively expensive, but this is not the case for

apt has a much better scheme against tampering with the data, so here https
is redundant.  It can, though, provide privacy and thus security by not
letting an attacker know what you run.  But, that privacy could be:

* knowing that you run Debian.  It's enough to notice you're connecting to a
  Debian mirror, encrypted or not.

* knowing what packages you run.
  • For a regular mirror, there are tens of thousands of packages, any of
    which you may install at an arbitrary time, and you usually pull a bunch
    of libraries/etc as well so neither timing nor file sizes reveal
    anything interesting.
  • Security updates.  Even on busiest for the DSA days, there's never more
    than a few updates at once, thus it's obvious what you download
    (whatever just got updated), and file sizes remove any remaining doubt.

Thus, there's not much point in switching security.debian.org to https.

⢀⣴⠾⠻⢶⣦⠀ What Would Jesus Do, MUD/MMORPG edition:
⣾⠁⢰⠒⠀⣿⡁ • multiplay with an admin char to benefit your mortal
⢿⡄⠘⠷⠚⠋⠀ • abuse item cloning bugs (the five fishes + two breads affair)
⠈⠳⣄⠀⠀⠀⠀ • use glitches to walk on water

Reply to: