Re: Apt sources.list
On Sat, 15 Apr 2023 tomas@tuxteam.de wrote:
On Sat, Apr 15, 2023 at 12:18:57PM -0400, Dan Ritter wrote:
paulf@quillandmouse.com wrote:
Okay. Let's open this can of worms.
I wish more would.
The ONLY reason https is used on most sites is because Google
*mandated* it years ago. ("Mandate" means we'll downgrade your
search ranking if you don't use https.) There is otherwise no
earthly reason to have an encrypted connection to a web server
unless there is some exchange of private information between you
and the server.
... and because Let's Encrypt made it relatively easy, monetarily
free, and automated.
Who doesn't love free tickets to the security theatre?
Google Chrome being one of their sponsors.
Now don't get me wrong: there are many things to like about TLS in
general and about Let's Encrypt in particular. And another sponsor
of Let's Encrypt is the EFF, whose motives, to me at least, are
beyond reproach.
That the EFF is "beyond reproach" is quite a strong statement. Once
upon a time, I would have agreed.
I am no longer so confident. Institutions that pose a genuine threat
(to the agenda of the powers that be) get captured. One must seek out
and examine evidence that contradicts beliefs that make one feel safe.
Placing an institution "beyond reproach" prevents that practice.
But it's a mixed bag, and that "unencrypted is BAAAD" meme is just
security theater.
Security theatre is never cost-free, and always has a purpose. Whose
purpose? Who pays for it? And who endorsed propaganda in favor of its
institution?
"insecure". Though, in truth, the integrity of Debian server contents
wouldn't be changed in the slightest whether the connection was
encrypted or not.
It's nice not to be telling everyone who can sniff a plaintext
connection which packages you are installing,
Without doubt, this is an advantage of a TLS connection. If you
do care about that, here would be one reason.
In case you wish to obscure what software you *install*, but need not
conceal the software you *download*:
Step one: Make a list of the packages you want, and then augment it
with as many plausible alternatives and red herrings as you like.
Step two:
$ apt-get -d install <many packages>
This downloads the packages only, so you can download packages you
will *not* install, along with ones you will. Then install the proper
subset you want installed, without the '-d' option.
This is more work *for you* than TLS (supposing you don't automate
alternative/red-herring selection). More work for you may be worth the
cost, if the work is effective. This method does not rely on
certificates and "trusted" authorities.
As already mentioned, it does not prevent observers from noticing that
you *downloaded* something forbidden.
and prevents those people from trivially substituting trojan
horses.
Setting aside the question of what class of actors are (or are not) so
thwarted, I was surprised to read this. A clarification or elaboration
might be interesting.
Sufficient clarity and necessary precision often work against one
another.
...and this is downright wrong.
Or perhaps incomplete. I too did a double-take, though, and would like
to hear more.
The Debian packages are signed.
Q: Waaah. Stupid APT won't verify a key.
A: Easy peasy. [Demonstrates how to retrieve and trust attacker's key]
Q: Thanks a lot, anon. It worked!
If you got your first install from a trusted source, this is way
more secure than TLS [1]. TLS doesn't hurt here, but it doesn't help
much, either.
[1] Have you ever had a look at the incredible zoo of root certs
your browser trusts?
What's wrong, Tomas? Don't you want to watch pornographic videos and
conduct your banking with the same application?
--
Hackers are free people. They are like artists. If they are in a good
mood, they get up in the morning and begin painting their pictures.
-- Vladimir Putin
Reply to: