On 2021-09-02 12:27:34 -0400 (-0400), Roberto C. Sánchez wrote: [...] > In this context, it might make sense to describe using HTTPS as > the transport for APT operations is providing "default > confidentiality". Which, as similarly discussed, it really doesn't do either (because of deterministic blob sizes for publicly served files, current SNI implementations leaking hostnames, general state of the CA and CDN industries...), so suggesting that may also give users a false impression. If they really do need confidentiality of their package installation, they're probably better off doing updates over Tor or a some VPN which does batching/interleaving of bulk transfers with some cover traffic, or keeping a private local package mirror. But to a great extent the degree of confidentiality they can expect really depends on who they're trying to hide their traffic from. If their concern is that a company headquartered in the USA might be tracking the packages they're downloading from deb.debian.org, then that's already a possibility even with HTTPS: the site is currently fronted by the Fastly CDN service which terminates TLS encryption for those HTTPS requests in order to be able to cache them globally. Of course, without a CDN, mirror site operators can track what packages you're downloading from them over HTTPS as well. More generally, what I'm saying is don't try to paint this change as actually implementing any significant amount of new security or privacy for Debian users, that would be disingenuous. Just say the default is switching to HTTPS because that's what users, by and large, expect today. -- Jeremy Stanley
Attachment:
signature.asc
Description: PGP signature