Re: Accessing security.debian.org through https
On Sat, Apr 18, 2020 at 09:13:43PM +0300, Reco wrote:
> Hi.
>
> On Sat, Apr 18, 2020 at 06:48:59PM +0100, André Rodier wrote:
> > I am investigating the option to enforce https access on my network,
> > and I am surprised I have no way to access security.debian.org.
>
> Technically, you can: https://deb.debian.org/debian-security
> Not that using it will not be useful in any way as currently it just
> serves an HTTP redirect to http://security.debian.org
>
> > Is there any reason why https is not supported (yet?),
>
> 1) HTTPS vs HTTP is noticeable in terms of server load, especially if
> the whole world tries to get the same package at the same time.
>
> 2) Release files are GPG signed, and contain multiple checksums for
> every package served.
> A package (or a Release) that's substituted by a third party will be
> noticed by a local apt (so integrity is here), and confidentiality is
> not an issue here.
>
Maybe/maybe not. If part of your threat model includes "an adversary
might tailor an attack based on which packages I have installed on my
system", then confidentiality might be at issue. It is a weak argument,
but I've known people to use it. Of course, it is not too hard to
defeat using metadata (i.e., the size of a downloaded package, even over
HTTPS, is probably enough information to identify a package fairly
uniquely.
Your point about server load is more important and a simple, effective,
and efficient way to address the confidentially matter is to mirror the
entire Debian repository and security repository then have your machines
use the internal mirror.
Regards,
-Roberto
--
Roberto C. Sánchez
Reply to: