Re: HTTPS enabled Debian Security repository
Christoph Biedl:
> 林博仁 wrote...
>
>> I believe that there's no benefit on accessing Debian archive with HTTPS as
>> they uses GnuPG for authentication
>
> GnuPG indeed serves the purposes of authenticity and integrity very
> well. Modulo bugs every now and then, but they happen on other layers as
> well.
>
> Also, nobody should rely on the privacy in this case since the server
> content is public and the clients have a fairly simple access pattern.
> Decoding the transfers from this isn't trival but seems doable with some
> effort - one day I'll write a prove of concept for this.
>
> There is however a reason for https, a sad one though: Braindead
> "security" applicances that do deep packet inspection and might reject
> the download of packages.
>
> Christoph
>
This idea that GPG signatures on the index files is enough has been
totally disproven. There was a bug in apt where Debian devices could be
exploited by feeding them crafted InRelease files:
https://www.debian.org/security/2016/dsa-3733
If HTTPS was used, that would mean exploiting that would require
compromising the mirror servers. With HTTP only, anyone that can see
the network traffic can exploit the Debian box. Plus there are other
things that using HTTPS improves:
https://guardianproject.info/2014/10/16/reducing-metadata-leakage-from-software-updates/
HTTPS does not entirely solve all these problems, but it does
drastically improve things.
.hc
Reply to: