[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#745259: ITP: apt-transport-tor -- APT transport for anonymous package downloads via Tor

On 22 April 2014 12:03, Raphael Geissert <geissert@debian.org> wrote:
> By using curl you are basically allowing the mirror (or anyone who can
> intercept the clear text) to tell "normal" and tor users apart. Think
> of targeted attacks.

Hi Raphael,

Tor users can be identified by IP in any case - the important thing is
that all Tor users look alike.  I think it might be worth matching the
user-agent string with "normal" apt - but I don't know if libcurl is
sending any other headers that set it apart.  I'll give it some
thought.

But if most users sending apt over Tor switch to this acquire method,
then so long as there is no way to tell those users apart from each
other, it is difficult to target individuals.

In this case, everything is GPG-signed anyway, so I don't think we're
talking about active MITM attacks - it's about confidentiality around
which software an individual is using/installing.

Kind regards,

-- 
Tim Retout <diocles@debian.org>
Reply to: