Your message dated Fri, 14 Aug 2015 14:18:10 +0200 with message-id <20150814121810.GA11362@crossbow> and subject line Re: Bug#758316: APT: Use HTTPS by default has caused the Debian Bug report #758316, regarding APT: Use HTTPS by default to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 758316: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758316 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: APT: Use HTTPS by default
- From: Freddy <freddymartinez9@gmail.com>
- Date: Sat, 16 Aug 2014 14:13:18 -0500
- Message-id: <53EFAD4E.4020609@gmail.com>
Package: apt Version: 0.9.7.9+deb7u2 Currently, apt requires install of an additional package apt-transport-https in order to use HTTPS Without it, I get errors like this if I use HTTPS it. E: The method driver /usr/lib/apt/methods/https could not be found. E: The method driver /usr/lib/apt/methods/https could not be found. E: The method driver /usr/lib/apt/methods/https could not be found. This is an important security bug for two reasons. Its irresponsible to expose what packages a user has on their computers before they update. An attacker could simply interrupt the package download and exploit a *known* security hole before a user can upgrade their package. However, its also important to deploy SSL *everywhere* and by default. Freddy Martinez
--- End Message ---
--- Begin Message ---
- To: 758316-done@bugs.debian.org
- Subject: Re: Bug#758316: APT: Use HTTPS by default
- From: David Kalnischkies <david@kalnischkies.de>
- Date: Fri, 14 Aug 2015 14:18:10 +0200
- Message-id: <20150814121810.GA11362@crossbow>
- In-reply-to: <CAEA6rAzn29aKHZ=QQNcLGTOWaT2=7rAMOQV9m1=LsW7LmR9qFw@mail.gmail.com>
- References: <53EFAD4E.4020609@gmail.com> <1419319713.5046.26.camel@googlemail.com> <CANNZinew8AzNuJnKVt89pV_s=vt_Zg0FCtST_A0dAj5CAECbLA@mail.gmail.com> <CAEA6rAzn29aKHZ=QQNcLGTOWaT2=7rAMOQV9m1=LsW7LmR9qFw@mail.gmail.com>
On Mon, Dec 29, 2014 at 08:31:39PM +0100, Julian Andres Klode wrote: > On Mon, Dec 29, 2014 at 8:23 PM, Freddy Martinez > <freddymartinez9@gmail.com> wrote: > > Thanks you are correct about the http / https in the sources.list. > > But my concern is about security. Downloading binaries over > > unauthenticated connections via HTTP is not good, especially when > > you're downloading security updates. As a project, Debian should > > prioritize mirrors that use HTTPS. I know that is a hard thing to do > > given that most mirrors are run by volunteers at various locations > > (universities, labs etc) but it should be discussed and implemented. > > It does not make sense to use https. All data is authenticated using > GPG signatures. https only offers some encryption on top of that, so > nobody will know which package you are fetching, but that's an > entirely minor issue. Beside that by careful observation you can predict from the size of data pushed over the encrypted line what data is shipped over it as the size of the data is public knowledge. https can only protect you from someone interferring with what is sent to you – but we are protected against that for a very long time already by apt-secure usage. And in this form, https is even weaker than apt-secure as we sign end to end while https just protects the transport between hops – aka non-Debian controlled mirrors would be a problem with https. All the wonderful other attributes assigned to https aren't really true as it is e.g. not for privacy: Everyone can see to which server you are talking to, you need to use something like Tor for that. Having more https mirrors and/or using them as user would be nice to have maybe, but there is no explicit need for it and NOT needed for security reasons. Hence closing as apt can do nothing about it, at best this is a mirror teams task, but not really actionable for them either… Best regards David KalnischkiesAttachment: signature.asc
Description: Digital signature
--- End Message ---