Hans-Christoph Steiner: > On 10/30/2013 10:49 AM, Norbert Kiszka wrote: >> Dnia 2013-10-30, śro o godzinie 11:34 -0200, Djones Boni pisze: >>> On 30-10-2013 11:05, Celejar wrote: >>>> You're snipping crucial context; my comment above was in response to >>>> this: >>>>> For apt-get a self-signed certificate could be used which comes together >>>>> with Debian. No CA required. This is both simpler and safer. >>>> I was pointing out that this comment makes no sense in the context of >>>> apt-get. It sounds like you're referring to the website or email system. >>> I am talking about updates. >>> >>> Yes. Apt uses OpenPGP to verify the integrity and authenticity of the >>> packages it downloads. >>> But how does apt get these packages? Over insecure HTTP. >>> >>> Hacking DNS or MITM attack can hide updates from you or a country. Then >>> you are vulnerable due out-of-date software and you don't even know >>> about it. >>> >>> >> >> >>> and you don't even know >>> about it. >> >> Thats why I am on the debian-security@lists.debian.org > > A governmental firewall could just as easily block an email as it could > block/filter information about security updates. In order to understand why > tor and TLS would be useful here, it good to break down the various concerns > (or threats if you prefer): > > 1. package authenticity (provided by the GPG signatures) > 2. package availability (can currently be manipulated by MITM) > 3. repo availability (can be blocked by firewalls) > 4. who's downloading what package (currently visible to anyone who can see the > network traffic) > > Most people are used to thinking about #1 when thinking about the security of > Debian repos. But 2-4 are also import, and currently not well addressed. > This is where TLS and Tor come in. Both can help prevent MITM manipulations > as well as reduce the amount of information that is leaked to the network. > Tor can also help with #3 since Tor is difficult to block (though China and > Iran are effectively blocking tor traffic these days). > > I think having official Debian repos available with both TLS and Tor available > as options is a very good idea. I'm happy to help where I can, but I'm not on > the sysadmin team (though I was a sysadmin in a former life). > > Also, there are a number of official mirrors that already support TLS. I > haven't looked to see if there are any repos available from a Tor Hidden > Service. >
Thanks for writing that summary Hans. This is part of a good defense in depth plan. It would be nice to have an official Debian.org machine with a key in a hardware security module. This would allow us to pin against specific certificates and to avert MITM attacks by failing closed. All the best, Jacob -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/527b6136.30...@appelbaum.net
