Re: SSL for debian.org/security?

To: burgers.rob@gmail.com
Cc: "debian-security@lists.debian.org" <debian-security@lists.debian.org>
Subject: Re: SSL for debian.org/security?
From: Djones Boni <07ea86bb4e@gmail.com>
Date: Tue, 29 Oct 2013 09:18:40 -0200
Message-id: <[🔎] 526F9990.8000907@gmail.com>
In-reply-to: <[🔎] 526f8fee.81680e0a.5e18.023e@mx.google.com>
References: <[🔎] CAAy1gkeUt_jr0uDt0B=HdnAZnmmHDqygrwgYg4dU7X9zjVUrSA@mail.gmail.com> <[🔎] 526F7FDF.7030601@tightwax.com>,<[🔎] 526F8967.5070707@gmail.com> <[🔎] 526f8fee.81680e0a.5e18.023e@mx.google.com>

On 29-10-2013 08:36, burgers.rob@gmail.com wrote:

Its not tor itself that was compromised but the version of Firefox bundled with the Tor browser bundle. They used a 0day to install a tracking cookie in FF.

The FF bug exploited by Freedom Hosting script was not a 0day one.
There was a updated TBB which fixed it a month before the attack (only MSOSs were exploited with that script).

If anyone use TBB to access Debian hidden service to verify security updates and TBB leak information to LEA. What could they do?
"Aham! He uses Debian. Let's arrest him!"

A Debian THS is a good idea for the security it provides, not for anonymity or down rate.
It would be harder to someone MITM and hide updates from you.
That is why Debian should use SSL (and THS).

Reply to:

Follow-Ups:
- Re: SSL for debian.org/security?
  - From: adrelanos <adrelanos@riseup.net>

References:
- SSL for debian.org/security?
  - From: Mark Haase <mark.haase@lunarline.com>
- Re: SSL for debian.org/security?
  - From: Nikolay Kubarelov <niko@tightwax.com>
- Re: SSL for debian.org/security?
  - From: Djones Boni <07ea86bb4e@gmail.com>
- Re: SSL for debian.org/security?
  - From: <burgers.rob@gmail.com>

Prev by Date: Re: SSL for debian.org/security?
Next by Date: Re: SSL for debian.org/security?
Previous by thread: Re: SSL for debian.org/security?
Next by thread: Re: SSL for debian.org/security?
Index(es):
- Date
- Thread