[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: HTTPS enabled Debian Security repository

On Monday, 30 October 2017 8:57:00 AM AEDT Hans-Christoph Steiner wrote:
> > The one from 2016 is harder to exploit: I asked on #-apt back then and
> > the sample exploit had a 1/4 success change with a 1.3 GB InRelease file
> > on a memory starved i386 system).
> That hit rate is enough to build malware around...

25% hit rate is enough to be worth exploiting, but 1.3G of extra data greatly 
reduces the incidence.  The small i386 systems tend not to have fast enough 
networking that 1.3G of data could be downloaded without notice.

> Don't get me wrong, I agree that HTTPS is very overcomplicated and
> terrible in a lot of ways.  But the days of plain HTTP/TCP are over.
> All connections need to be moving towards encryption.  Even with HTTPS'
> faults, we are better off using it than plain HTTP.

I agree.  There's little downside nowadays.  Squid doesn't work particularly 
well caching APT repositories nowadays (strange timeouts and hangs during 
downloads) so the caching benefit of non-SSL has mostly gone away.

My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

Reply to: