On 22 April 2014 12:03, Raphael Geissert <geiss...@debian.org> wrote: > By using curl you are basically allowing the mirror (or anyone who can > intercept the clear text) to tell "normal" and tor users apart. Think > of targeted attacks.
Hi Raphael, Tor users can be identified by IP in any case - the important thing is that all Tor users look alike. I think it might be worth matching the user-agent string with "normal" apt - but I don't know if libcurl is sending any other headers that set it apart. I'll give it some thought. But if most users sending apt over Tor switch to this acquire method, then so long as there is no way to tell those users apart from each other, it is difficult to target individuals. In this case, everything is GPG-signed anyway, so I don't think we're talking about active MITM attacks - it's about confidentiality around which software an individual is using/installing. Kind regards, -- Tim Retout <dioc...@debian.org> -- To UNSUBSCRIBE, email to debian-wnpp-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/cadc0ge-cuukquggffcruqptzqr2nyrjzqyzyztn4_bqhwcj...@mail.gmail.com
