[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: HTTPS enabled Debian Security repository

I would vote for enabling HTTPs on apt related service. The main idea is
that help to prevent users from leaking the version info of installed
packages. Say, if someone can eavesdrop the communication between the
server and client for a period of time, he/she might be able to know if
the installed packages on the client is vulnerable to some known
attacks. And the other reason is serving packages over HTTPS can help to
mitigate some unwanted problems when the connection is under DPI or
other conditions. 

BR, Morris

On Fri, Oct 27, 2017, at 06:42 PM, Hans-Christoph Steiner wrote:
> Christoph Biedl:
> > 林博仁 wrote...
> > 
> >> I believe that there's no benefit on accessing Debian archive with HTTPS as
> >> they uses GnuPG for authentication
> > 
> > GnuPG indeed serves the purposes of authenticity and integrity very
> > well. Modulo bugs every now and then, but they happen on other layers as
> > well.
> > 
> > Also, nobody should rely on the privacy in this case since the server
> > content is public and the clients have a fairly simple access pattern.
> > Decoding the transfers from this isn't trival but seems doable with some
> > effort - one day I'll write a prove of concept for this.
> > 
> > There is however a reason for https, a sad one though: Braindead
> > "security" applicances that do deep packet inspection and might reject
> > the download of packages.
> > 
> >     Christoph
> > 
> This idea that GPG signatures on the index files is enough has been
> totally disproven.  There was a bug in apt where Debian devices could be
> exploited by feeding them crafted InRelease files:
> https://www.debian.org/security/2016/dsa-3733
> If HTTPS was used, that would mean exploiting that would require
> compromising the mirror servers.  With HTTP only, anyone that can see
> the network traffic can exploit the Debian box.  Plus there are other
> things that using HTTPS improves:
> https://guardianproject.info/2014/10/16/reducing-metadata-leakage-from-software-updates/
> HTTPS does not entirely solve all these problems, but it does
> drastically improve things.
> .hc

Reply to: