* Hans-Christoph Steiner <h...@at.or.at> [140703 18:10]: > You are correct that HTTPS would not entirely address #2, but it does > improve the situation over HTTP. For example, an ISP, network operator, > or government could block an entire mirror or all mirrors by redirecting > requests to their own mirror which does not get updates. That would be > transparent to the user.
- An ISP could just offer to host a mirror, thus getting the certificates for free. All you could avoid is getting in the way of someone willfully wasting bandwith by using a specific far away mirror. - A goverment could likely just do the same, but with any certificates/private keys of any mirrors near you. - It is only "Transparent" in a very abstract sense of the word. People know what security updates there are. Sending outdated stuff to many people is hard to hide. So you need a targeted attack, which would even cause more suspicion if someone realizes it. If someone updates the packages manually detection chances are astronomically high. If things are updated manually then a targeted attack might as well block the traffic and also block the mails going out about the automated update failing. And then there is still the massive negative aspect of using https, which any positive aspects have to trumph: If using https, people might actually think they can just use a browser or the like to download things and get a validated file. Which of course it is not, as so many people can trivially inject something. An false feeling of having security can be much worse than anything else often. Bernhard R. Link -- F8AC 04D5 0B9B 064B 3383 C3DA AFFC 96D1 151D FFDC -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140703182620.ga2...@client.brlink.eu