Re: SSL for debian.org/security?
On 29/10/13 12:53, adrelanos wrote:
> Downloading apt-get updates over Tor hidden services would be awesome!
> - Even when an adversary found a way to exploit apt-get's OpenPGP
> verification, the exploit could not be used, because Tor hidden
> services implement its own encryption/authentication.
> - An adversary could not even know that someone is downloading apt-get
> - We obscure more internet traffic, good for Tor (diversifying user
> base and use cases), adding more hay to the haystack.
> - It becomes more difficult to mount rollback/freeze attacks. We have
> the valid-until field, but Tor HS would be a nice as defense in depth.
I can't see why not and start to really like the idea too!
Let there be awesomeness :)
I think that would be a very contemporary move of Debian.