[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SSL for debian.org/security?

On 29-10-2013 09:56, Celejar wrote:
> The OP was asking for authentication, not encryption. Celejar 
Tor HS addresses are self authenticating (80 bits of entropy).
It is possible (and very hard) to create an alias but it is much better
than clear text over http.

On 29-10-2013 09:53, adrelanos wrote:
> Downloading apt-get updates over Tor hidden services would be awesome!
>
> - Even when an adversary found a way to exploit apt-get's OpenPGP
> verification, the exploit could not be used, because Tor hidden
> services implement its own encryption/authentication.
> - An adversary could not even know that someone is downloading apt-get
> updates.
If someone need speed, it is possible run "apt-get update" over Tor and
"apt-get upgrade" over http or https (but the security will rely only on
OpenPGP and SSL).
Reply to: