Bird debian repo now over https only?

Toke Høiland-Jørgensen toke at toke.dk
Wed Oct 17 17:41:34 CEST 2018


Florian Lohoff <f at zz.de> writes:

> On Mon, Oct 15, 2018 at 12:22:34PM +0200, Toke Høiland-Jørgensen wrote:
>> > The integrity of debian packages is guranteed by their hash
>> > in the Packages file which is signed by a gpg signature.
>> > So https is not needed for integrity and fetching from
>> > a debian mirror does not need confidentially.
>> 
>> Sure it does. Otherwise an observer has a list of all packages installed
>> on your system, which, apart from the obvious privacy implications, also
>> potentially has security implications (an attacker can know which
>> vulnerable package versions are installed on the system).
>
> As the attacker knows you are connecting to a debian repository its a
> pretty simple guess from file/request size to the package.
>
> Because you cant read the data doesnt mean you are safe. Metadata is
> most of the time enough.

Sure, https is no panacea. I was just disputing the assertion that it
has *no* value...

-Toke



More information about the Bird-users mailing list