Djones Boni: > A Debian THS is a good idea for the security it provides, not for > anonymity or down rate. It would be harder to someone MITM and hide > updates from you. That is why Debian should use SSL (and THS).
Downloading apt-get updates over Tor hidden services would be awesome! - Even when an adversary found a way to exploit apt-get's OpenPGP verification, the exploit could not be used, because Tor hidden services implement its own encryption/authentication. - An adversary could not even know that someone is downloading apt-get updates. - We obscure more internet traffic, good for Tor (diversifying user base and use cases), adding more hay to the haystack. - It becomes more difficult to mount rollback/freeze attacks. We have the valid-until field, but Tor HS would be a nice as defense in depth. And before someone says, the Tor network does not want such kind of traffic... Having my Whonix (a Debian derivative) hat on: There is no such issue. One can use Tor to download updates. We asked torproject.org, if it is okay to download operating system updates over Tor, see [1] [2]. Andrew Lewman (Executive Director, Director, press contact [3]) does also download a lot of updates over Tor and did not complain. [4] [1] https://lists.torproject.org/pipermail/tor-talk/2012-March/023486.html [2] https://lists.torproject.org/pipermail/tor-talk/2012-March/subject.html#23507 [3] https://www.torproject.org/about/corepeople.html.en [4] https://lists.torproject.org/pipermail/tor-talk/2012-March/023493.html -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/526fa1a2.5080...@riseup.net
