On 07/07/2014 06:43 PM, Jeremie Marguerie wrote: > On Mon, Jul 7, 2014 at 3:15 PM, Lou RUPPERT <himself@louruppert.com> wrote: >>> If I'm looking at a catalog page from a shoe store on my table, >>> connected via the phone network, getting close to my 2G cap for my >>> wireless router for the month. My battery's getting low. Do I want >>> to waste bandwidth and CPU cycles for TLS encoding, just for >>> pictures of shoes? >> >> Let's try to turn our focus back to the question at hand, which is >> whether there are merits to promoting https mirrors for users who have >> concerns about being watchlisted based on their software choices. I >> think client cpu cycle and bandwidth concerns are a bit of an >> anachronism these days anyway. > > I think you pulled out the only reason why using https for mirrors > would be useful. > > The threat analysis doesn't show any practicable way for the any > attacker to prevent alter packages even with control of the network. > He could block updates but the client-side would noticed: out-of-date > repository and package list, failed to download specific packages. > > HTTPS is a solution to this risk scenario: > A) I don't want anyone to know which package I download (passive listening) > B) I don't want a third party to selectively prevent me from > downloading a package/update (active man i the middle) > > Scenario A is more likely to happen or to already be in place. > > HTTPS in this case is *not* about security but just privacy. > > 1) Performance concern: The CPU cycles for encrypting is now low > enough so that it seems feasible. Not all package providers need to > provide https-based repository but having a few of those and give them > visibility would be greatly appreciated. > > 2) TLS certificates: we do not need the package to be behind a > "debian" certificate, just to be behind a certificate trusted by a > recognized third party (same requirement as for websites). Since we do > not seek authentication of the package but just privacy, we only need > to ensure that we talk to the server we wanted to, whichever it is. I'm trying to practice what I preach here, so I set up my very first debian mirror. It is hosted on my home connection, so be gentle. It is only debian-security for amd64 and i386: deb http://dju2peblv7upfz3q.onion/debian-security/ wheezy/updates main This is a test repo, so be sure to keep a real debian-security mirror in your sources.list! Just put it after the above line, and apt-get will prefer the tor hidden service, but still get the latest updates available from debian-security. .hc
Attachment:
signature.asc
Description: OpenPGP digital signature