Re: DOH (was: geolocation services disabled and Gnome maps)
On 4/14/20, Greg Wooledge <wooledg@eeg.ccf.org> wrote:
> On Mon, Apr 13, 2020 at 07:03:12PM -0400, Lee wrote:
>> dnssec just adds a cryptographic signature to the data -- everything
>> is still done "in the clear" (like Debian updates.  or has buster
>> switched to using https for downloading updates?)
>
> The apt-transport-https package is available, but is not installed
> by default.  The Debian mirrors can be accessed via https, but again,
> this is not the default.  (I.e. even if you install apt-transport-https,
> you still have to edit sources.list to use it.)
*sigh* I wasn't able to get that working :(   This was right after I
installed Debian for the first time, so I was pretty much totally
clueless, but it was a compleat fail for me.
> Accessing the mirrors via https makes the packages un-cacheable, which
> makes the traffic volume significantly greater -- and the package lists
> are already signed, so there's no gain in trustworthiness of the packages.
>
> Some people may cite "privacy", as in "I don't want them to know which
> window manager I use", or something... I do not understand this
> argument, frankly.  It sounds paranoid to me.
How about people that cite "security"?  And yes, I take the simplistic
approach that encrypted=good and clear-text=bad but clear-text allows
things like
  https://www.guardicore.com/2019/01/a-vulnerability-in-debians-apt-allows-for-easy-lateral-movement-in-data-centers
my understanding is that vuln wouldn't have existed if https had been used.
> I'd *love* to continue using http at work, but my workplace has been
> shutting down more and more plain http sites via their firewall.
Getting rid of clear-text protocols is usually at the top of network
audit checklists & with most people working from home now, it doesn't
surprise me at all that network security is being "improved".
> In the last few weeks, this includes the Debian mirrors.  So, I had to
> switch my work machines to https.  I really did not want to do that,
> because there are several of them, and now they can no longer share
> their package download bandwidth via a simple squid proxy.
>
> I'm not sure if I'll be willing to put the time into trying to come up
> with some other way to share downloads among them.
Yeah.. it's extremely frustrating when 'they' do stupid stuff 'because
security.'
But if you talk to the people in the security group about what's going
on -- if they'll talk to you at all - they've usually got at least a
semi-reasonable explanation for why.  (because the CIO said so being
the one that frustrated me the most)
Regards,
Lee
Reply to: