Re: Debian mirrors and MITM

[Michael Stone <mstone@debian.org>]

On Thu, Jul 03, 2014 at 11:05:17AM -0400, Hans-Christoph Steiner wrote:
> I definitely agree there are legitimate concerns that using HTTPS on apt mirrors would help, and people who suggest otherwise are out of date on what the threats are.  I think the integrity of the package itself is not reason enough to use HTTPS since the GPG signing is much more reliable for that task.  I break it down into 4
>
> 1. package authenticity
> (software can be modified while being downloaded)
>
> 2. repo availability
> (internet services can be blocked by governments and companies)
>
> 3. package availability
> (software security updates can be individually blocked)
>
> 4. who’s downloading what package (currently visible to anyone who can see the network traffic, including open wifi, etc.)
>
>
> The current apt model covers #1 well, but only covers #2 and #3 with a two week window (the expiration date on the repo metadata).  And it does not cover #4 at all.

HTTPS won't address #1 completely in the presence of mirrors, and debian 
doens't have the resources to serve all users without mirrors. It will 
not address #2. It may address #3, but less reliably than the current 
siutation. It may make #4 harder for certain scenarios, but not others 
(traffic analysis of specific host).

Something like tor will be a better solution for #2, & #4 while the 
current system provides #1 & #3. (And also provides #2 for all practical 
purposes, given the length of the mirror list.)

Mike Stone