Re: HTTPS enabled Debian Security repository
On Monday, 30 October 2017 8:57:00 AM AEDT Hans-Christoph Steiner wrote:
> > The one from 2016 is harder to exploit: I asked on #-apt back then and
> > the sample exploit had a 1/4 success change with a 1.3 GB InRelease file
> > on a memory starved i386 system).
> That hit rate is enough to build malware around...
25% hit rate is enough to be worth exploiting, but 1.3G of extra data greatly
reduces the incidence. The small i386 systems tend not to have fast enough
networking that 1.3G of data could be downloaded without notice.
> Don't get me wrong, I agree that HTTPS is very overcomplicated and
> terrible in a lot of ways. But the days of plain HTTP/TCP are over.
> All connections need to be moving towards encryption. Even with HTTPS'
> faults, we are better off using it than plain HTTP.
I agree. There's little downside nowadays. Squid doesn't work particularly
well caching APT repositories nowadays (strange timeouts and hangs during
downloads) so the caching benefit of non-SSL has mostly gone away.
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/