Re: HTTPS enabled Debian Security repository

To: debian-security@lists.debian.org
Subject: Re: HTTPS enabled Debian Security repository
From: Morris Taylor <morris@eml.cc>
Date: Fri, 27 Oct 2017 21:59:08 +0800
Message-id: <[🔎] 1509112748.1434461.1153015704.51ACBE97@webmail.messagingengine.com>
In-reply-to: <[🔎] badc97dc-9b14-b26d-ae3b-26eeecbd8414@at.or.at>
References: <[🔎] e93a57a8-8ab1-88fc-2e5b-fb3cd005038d@gmail.com> <[🔎] CADyC1h0W5LkOkf-MOQdh6aXm9LeEr1kDL_YTDWFx-XD4rv7h+A@mail.gmail.com> <[🔎] 1509040924@msgid.manchmal.in-ulm.de> <[🔎] badc97dc-9b14-b26d-ae3b-26eeecbd8414@at.or.at>

I would vote for enabling HTTPs on apt related service. The main idea is
that help to prevent users from leaking the version info of installed
packages. Say, if someone can eavesdrop the communication between the
server and client for a period of time, he/she might be able to know if
the installed packages on the client is vulnerable to some known
attacks. And the other reason is serving packages over HTTPS can help to
mitigate some unwanted problems when the connection is under DPI or
other conditions. 

--
BR, Morris

On Fri, Oct 27, 2017, at 06:42 PM, Hans-Christoph Steiner wrote:
> 
> 
> Christoph Biedl:
> > 林博仁 wrote...
> > 
> >> I believe that there's no benefit on accessing Debian archive with HTTPS as
> >> they uses GnuPG for authentication
> > 
> > GnuPG indeed serves the purposes of authenticity and integrity very
> > well. Modulo bugs every now and then, but they happen on other layers as
> > well.
> > 
> > Also, nobody should rely on the privacy in this case since the server
> > content is public and the clients have a fairly simple access pattern.
> > Decoding the transfers from this isn't trival but seems doable with some
> > effort - one day I'll write a prove of concept for this.
> > 
> > There is however a reason for https, a sad one though: Braindead
> > "security" applicances that do deep packet inspection and might reject
> > the download of packages.
> > 
> >     Christoph
> > 
> 
> This idea that GPG signatures on the index files is enough has been
> totally disproven.  There was a bug in apt where Debian devices could be
> exploited by feeding them crafted InRelease files:
> 
> https://www.debian.org/security/2016/dsa-3733
> 
> If HTTPS was used, that would mean exploiting that would require
> compromising the mirror servers.  With HTTP only, anyone that can see
> the network traffic can exploit the Debian box.  Plus there are other
> things that using HTTPS improves:
> 
> https://guardianproject.info/2014/10/16/reducing-metadata-leakage-from-software-updates/
> 
> HTTPS does not entirely solve all these problems, but it does
> drastically improve things.
> 
> .hc
>

Reply to:

Follow-Ups:
- Re: HTTPS enabled Debian Security repository
  - From: Luca Filipozzi <lfilipoz@debian.org>

References:
- HTTPS enabled Debian Security repository
  - From: Marek Sebera <marek.sebera@gmail.com>
- Re: HTTPS enabled Debian Security repository
  - From: 林博仁 <buo.ren.lin@gmail.com>
- Re: HTTPS enabled Debian Security repository
  - From: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
- Re: HTTPS enabled Debian Security repository
  - From: Hans-Christoph Steiner <hans@at.or.at>

Prev by Date: Re: HTTPS enabled Debian Security repository
Next by Date: Re: HTTPS enabled Debian Security repository
Previous by thread: Re: HTTPS enabled Debian Security repository
Next by thread: Re: HTTPS enabled Debian Security repository
Index(es):
- Date
- Thread