[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SSL for debian.org/security?



On 10/30/2013 10:49 AM, Norbert Kiszka wrote:
> Dnia 2013-10-30, śro o godzinie 11:34 -0200, Djones Boni pisze:
>> On 30-10-2013 11:05, Celejar wrote:
>>> You're snipping crucial context; my comment above was in response to
>>> this:
>>>> For apt-get a self-signed certificate could be used which comes together
>>>> with Debian. No CA required. This is both simpler and safer.
>>> I was pointing out that this comment makes no sense in the context of
>>> apt-get. It sounds like you're referring to the website or email system.
>> I am talking about updates.
>>
>> Yes. Apt uses OpenPGP to verify the integrity and authenticity of the
>> packages it downloads.
>> But how does apt get these packages? Over insecure HTTP.
>>
>> Hacking DNS or MITM attack can hide updates from you or a country. Then
>> you are vulnerable due out-of-date software and you don't even know
>> about it.
>>
>>
> 
> 
>> and you don't even know
>> about it.
> 
> Thats why I am on the debian-security@lists.debian.org

A governmental firewall could just as easily block an email as it could
block/filter information about security updates.  In order to understand why
tor and TLS would be useful here, it good to break down the various concerns
(or threats if you prefer):

1. package authenticity (provided by the GPG signatures)
2. package availability (can currently be manipulated by MITM)
3. repo availability (can be blocked by firewalls)
4. who's downloading what package (currently visible to anyone who can see the
network traffic)

Most people are used to thinking about #1 when thinking about the security of
Debian repos.  But 2-4 are also import, and currently not well addressed.
This is where TLS and Tor come in.  Both can help prevent MITM manipulations
as well as reduce the amount of information that is leaked to the network.
Tor can also help with #3 since Tor is difficult to block (though China and
Iran are effectively blocking tor traffic these days).

I think having official Debian repos available with both TLS and Tor available
as options is a very good idea.  I'm happy to help where I can, but I'm not on
the sysadmin team (though I was a sysadmin in a former life).

Also, there are a number of official mirrors that already support TLS.  I
haven't looked to see if there are any repos available from a Tor Hidden Service.

.hc



Attachment: signature.asc
Description: OpenPGP digital signature


Reply to: