[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: concrete steps for improving apt downloading security and privacy

Hash: SHA512

Joel Rees:
> On Fri, Jul 4, 2014 at 11:44 AM, Hans-Christoph Steiner
> <hans@at.or.at> wrote:
>> [rhetoric encouraging the use of TLS transport for mirrors] [list
>> of current https mirrors]
> Far be it from me to argue with ucalgary.ca, but one thing that 
> bothers me about using TLS as a download transport is that, if I
> were the spooks, and I wanted a huge sample of crypts from a known 
> plaintext, I could think of worse ways to go than to get the 
> opensource crowd to provide them for me.

Any popular site with relatively static content would do that. Apple
store or Play store would probably provide a more useful dataset for
them anyway. But if you configure it and the clients to favor
ephemeral keys you reduce the usefulness of captured traffic in being
able to simulate the server itself.

> I mean, yeah, they probably have the resources to simulate the
> debian download infrastructure in their internal server farms, but
> why do their work for them and free their resources up for other
> jobs?

I'm not sure that's a realistic scenario.

> Especially when the only real advantage of using TLS download 
> transport is (the illusion of) being able to download what you
> want without "them" knowing exactly what you downloaded.

Yeah they could probably infer it based on the session size. They do
that for other encrypted streams, like determining successful SSH logins.

But TLS also serves as a sort of sloppy authentication mechanism,
assuring you that someone someplace has vouched for the fact that
you've connected to the system you intended to connect to. It's not
terribly useful when you already sign your packages, but layers etc.

- -- 
I prefer encrypted email.  Get my key here:
PGP Fingerprint: 3261 B9F9 9363 D512 56F8  12DD 127F 4D6A 115D CF62


Reply to: