Package: apt
Version: 2.3.13
Severity: wishlist
apt should pad its TLS connections to obscure the size of the downloaded files
from network observers. Right now, an attacker could build an index of all
package sizes, then track the size of HTTPS streams to Debian mirrors, and from
that, be able to identify most of the packages being downloaded over HTTPS.
TLSv1.3 added the possibility to add padding TLS connections:
https://tools.ietf.org/id/draft-ietf-tls-tls13-21.html#rfc.section.5.4
GnuTLS already supports it:
https://www.gnutls.org/manual/gnutls.html#On-Record-Padding
