Greetings list :) > So, the real question: > > So, when are we going to push this? If not now, what criteria need to be > met? Why can't we https-ify the default CDN mirror today? > > (Sadly this means my trick to MITM the debian mirrors with my LAN mirror > breaks, but this strikes me as a feature not a bug) > > Toodles, > paultag
I rose the same question recently in private email to Salvatore Bonaccorso. Here below was that email, to reiterate some key thoughts also brought up in this thread and others not brought up: """ Hello Debian Security Team -- Let me first say that I highly respect everyone here and I am only reaching out because I have grave concerns about global security impacting Debian. I am sure everyone here is much smarter than me, so I am looking for some feedback on this. There have been numerous prior discussions on the topic of APT + HTTP security, but I want to lay an issue to rest about this knowing what we know about nation state surveillance attacking global systems. Although APT theoretically protects tampering of packages in transit over HTTP based on the signing key, there are numerous ways to exploit the plaintext HTTP protocol in transit and the way APT handles some aspects of validation. But that is not even the main issue. I will detail the main issue next. The main issue is that a well positioned attacker, such as the NSA or Chinese router admins, have the ability to collect and analyze in real-time what systems have installed what patches installed by monitoring the historical / real-time patch requests downloaded to Debian systems. Eg. given a global view of the Internet, the NSA could craft queries like "Show us all German systems that originate from network ranges belonging to <insert-any-org-here> that have never requested a patch for <insert-any-vuln-here>". Even if behind NAT, internal systems could be specifically analyzed based on client / NAT fingerprinting. This may not be restricted to external facing systems, as it is possible that localized patches for something like Shellshock, HeartBleed, glibc updates, kernel updates, may also be of interest after they intrude into the internal network. This is really the key. Using APT with HTTP by default makes the entire Internet much more vulnerable. With Let's Encrypt offering free TLS certificates, I find no reason to see why Debian would allow such surveillance above to continue. These attacks are happening. We know this from numerous sources. Let's put this issue to rest and move to APT+HTTPS by default. It does not make spoofing a certificate impossible, but it makes the attacks harder, more complex, and costly to the NSA. And with HSTS + HPKP, Debian could also be in a position to prevent most root CA spoofing attacks as well that might try to still gather system information as detailed above. What say you? I humbly request your thoughts. """ To which Salvatore replied: > Thanks for bringing this topic up and sharing your concerns. Don't get > me wrong, but I think it is better to discuss this in public. In fact > it pops up from time to time already. Just recently there was a topic > in similar direction on the debian-devel mailinglist as started here: > https://lists.debian.org/debian-devel/2016/10/msg00281.html > > Maybe you might cime in there in the discussion with as well your > arguments. > > Regards, > Salvatore I should probably also mention after reading this thread, that for good measure, adding HTTP/2 could dramatically lower overhead concerns. Thoughts? -- Regards, Kristian Erik Hermansen https://www.linkedin.com/in/kristianhermansen https://profiles.google.com/kristianerikhermansen
