[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian mirrors and MITM

On Thu, Jul 03, 2014 at 11:05:17AM -0400, Hans-Christoph Steiner wrote:
I definitely agree there are legitimate concerns that using HTTPS on apt mirrors would help, and people who suggest otherwise are out of date on what the threats are.  I think the integrity of the package itself is not reason enough to use HTTPS since the GPG signing is much more reliable for that task.  I break it down into 4

1. package authenticity
(software can be modified while being downloaded)

2. repo availability
(internet services can be blocked by governments and companies)

3. package availability
(software security updates can be individually blocked)

4. who’s downloading what package (currently visible to anyone who can see the network traffic, including open wifi, etc.)

The current apt model covers #1 well, but only covers #2 and #3 with a two week window (the expiration date on the repo metadata).  And it does not cover #4 at all.

HTTPS won't address #1 completely in the presence of mirrors, and debian doens't have the resources to serve all users without mirrors. It will not address #2. It may address #3, but less reliably than the current siutation. It may make #4 harder for certain scenarios, but not others (traffic analysis of specific host).

Something like tor will be a better solution for #2, & #4 while the current system provides #1 & #3. (And also provides #2 for all practical purposes, given the length of the mirror list.)

Mike Stone

Reply to: