On Sat, Apr 18, 2020 at 09:13:43PM +0300, Reco wrote: > Hi. > > On Sat, Apr 18, 2020 at 06:48:59PM +0100, André Rodier wrote: > > I am investigating the option to enforce https access on my network, > > and I am surprised I have no way to access security.debian.org. > > Technically, you can: https://deb.debian.org/debian-security > Not that using it will not be useful in any way as currently it just > serves an HTTP redirect to http://security.debian.org > > > Is there any reason why https is not supported (yet?), > > 1) HTTPS vs HTTP is noticeable in terms of server load, especially if > the whole world tries to get the same package at the same time. > > 2) Release files are GPG signed, and contain multiple checksums for > every package served. > A package (or a Release) that's substituted by a third party will be > noticed by a local apt (so integrity is here), and confidentiality is > not an issue here. > Maybe/maybe not. If part of your threat model includes "an adversary might tailor an attack based on which packages I have installed on my system", then confidentiality might be at issue. It is a weak argument, but I've known people to use it. Of course, it is not too hard to defeat using metadata (i.e., the size of a downloaded package, even over HTTPS, is probably enough information to identify a package fairly uniquely.
Your point about server load is more important and a simple, effective, and efficient way to address the confidentially matter is to mirror the entire Debian repository and security repository then have your machines use the internal mirror. Regards, -Roberto -- Roberto C. Sánchez