Re: Debian mirrors and MITM
On 07/03/2014 02:26 PM, Bernhard R. Link wrote:
> * Hans-Christoph Steiner <email@example.com> [140703 18:10]:
>> You are correct that HTTPS would not entirely address #2, but it does
>> improve the situation over HTTP. For example, an ISP, network operator,
>> or government could block an entire mirror or all mirrors by redirecting
>> requests to their own mirror which does not get updates. That would be
>> transparent to the user.
> - An ISP could just offer to host a mirror, thus getting the certificates
> for free. All you could avoid is getting in the way of someone willfully
> wasting bandwith by using a specific far away mirror.
> - A goverment could likely just do the same, but with any
> certificates/private keys of any mirrors near you.
Yes, there are definitely still possible attacks, even when using HTTPS+Tor
onion address. I never said what I propose is perfect, just a large improvement.
> - It is only "Transparent" in a very abstract sense of the word. People
> know what security updates there are. Sending outdated stuff to many
> people is hard to hide. So you need a targeted attack, which would
> even cause more suspicion if someone realizes it.
> If someone updates the packages manually detection chances are
> astronomically high. If things are updated manually then a targeted
> attack might as well block the traffic and also block the mails
> going out about the automated update failing.
In cases like the Great Firewall of China, they do country-wide things like
this. They are quite good at blocking Tor all over China, for example. The
vast majority of Debian/Ubuntu/etc. users only know there are updates because
apt tells them so.
> And then there is still the massive negative aspect of using https,
> which any positive aspects have to trumph: If using https, people might
> actually think they can just use a browser or the like to download
> things and get a validated file. Which of course it is not, as so many
> people can trivially inject something. An false feeling of having
> security can be much worse than anything else often.
> Bernhard R. Link
Yes, HTTPS should not be promoted as the thing that keeps the packages secure.
That is the GPG signature. HTTPS mostly serves to obscure the traffic
details from network observers. Many people think nothing of downloading and
installing random software from an HTTP connection, so the bar is not
currently very high.
And there happens to be some concrete data on why this is important, it turns
out that NSA/Five Eyes attempts to track everyone who lives outside the USA
who searches for or downloads Tor: