Re: SSL for debian.org/security?
> A Debian THS is a good idea for the security it provides, not for
> anonymity or down rate. It would be harder to someone MITM and hide
> updates from you. That is why Debian should use SSL (and THS).
Downloading apt-get updates over Tor hidden services would be awesome!
- Even when an adversary found a way to exploit apt-get's OpenPGP
verification, the exploit could not be used, because Tor hidden
services implement its own encryption/authentication.
- An adversary could not even know that someone is downloading apt-get
- We obscure more internet traffic, good for Tor (diversifying user
base and use cases), adding more hay to the haystack.
- It becomes more difficult to mount rollback/freeze attacks. We have
the valid-until field, but Tor HS would be a nice as defense in depth.
And before someone says, the Tor network does not want such kind of
Having my Whonix (a Debian derivative) hat on:
There is no such issue. One can use Tor to download updates. We asked
torproject.org, if it is okay to download operating system updates
over Tor, see  . Andrew Lewman (Executive Director, Director,
press contact ) does also download a lot of updates over Tor and
did not complain.