Re: Accessing security.debian.org through https
Hi. On Mon, Apr 20, 2020 at 08:11:29AM -0400, Greg Wooledge wrote: > On Sat, Apr 18, 2020 at 09:13:43PM +0300, Reco wrote: > > Technically, you can: https://deb.debian.org/debian-security > > Not that using it will not be useful in any way as currently it just > > serves an HTTP redirect to http://security.debian.org > > That doesn't seem to be true. As I said last week, my workplace's > firewall has recently started blocking Debian's package mirrors, but > > deb https://deb.debian.org/debian-security buster/updates main contrib > non-free I stand corrected. It's https://deb.debian.org/debian-security verbatim that does the redirect. An attempt to get any file via this apt-proxy-ng instance will result in a file served by HTTPS. For instance, this should work without any redirect: https://deb.debian.org/debian-security/pool/updates/main/c/chromium/chromium_80.0.3987.162-1~deb10u1.dsc Reco
Re: Accessing security.debian.org through https
On Sat, Apr 18, 2020 at 09:13:43PM +0300, Reco wrote: > Technically, you can: https://deb.debian.org/debian-security > Not that using it will not be useful in any way as currently it just > serves an HTTP redirect to http://security.debian.org That doesn't seem to be true. As I said last week, my workplace's firewall has recently started blocking Debian's package mirrors, but deb https://deb.debian.org/debian-security buster/updates main contrib non-free works for me.
Re: Accessing security.debian.org through https
On Sat, Apr 18, 2020 at 09:13:43PM +0300, Reco wrote: > Hi. > > On Sat, Apr 18, 2020 at 06:48:59PM +0100, André Rodier wrote: > > I am investigating the option to enforce https access on my network, > > and I am surprised I have no way to access security.debian.org. > > Technically, you can: https://deb.debian.org/debian-security > Not that using it will not be useful in any way as currently it just > serves an HTTP redirect to http://security.debian.org > > > Is there any reason why https is not supported (yet?), > > 1) HTTPS vs HTTP is noticeable in terms of server load, especially if > the whole world tries to get the same package at the same time. > > 2) Release files are GPG signed, and contain multiple checksums for > every package served. > A package (or a Release) that's substituted by a third party will be > noticed by a local apt (so integrity is here), and confidentiality is > not an issue here. > Maybe/maybe not. If part of your threat model includes "an adversary might tailor an attack based on which packages I have installed on my system", then confidentiality might be at issue. It is a weak argument, but I've known people to use it. Of course, it is not too hard to defeat using metadata (i.e., the size of a downloaded package, even over HTTPS, is probably enough information to identify a package fairly uniquely. Your point about server load is more important and a simple, effective, and efficient way to address the confidentially matter is to mirror the entire Debian repository and security repository then have your machines use the internal mirror. Regards, -Roberto -- Roberto C. Sánchez
Re: Accessing security.debian.org through https
Hi. On Sat, Apr 18, 2020 at 06:48:59PM +0100, André Rodier wrote: > I am investigating the option to enforce https access on my network, > and I am surprised I have no way to access security.debian.org. Technically, you can: https://deb.debian.org/debian-security Not that using it will not be useful in any way as currently it just serves an HTTP redirect to http://security.debian.org > Is there any reason why https is not supported (yet?), 1) HTTPS vs HTTP is noticeable in terms of server load, especially if the whole world tries to get the same package at the same time. 2) Release files are GPG signed, and contain multiple checksums for every package served. A package (or a Release) that's substituted by a third party will be noticed by a local apt (so integrity is here), and confidentiality is not an issue here. > especially with lets-encrypt. They use certificates signed by this CA already if it's appropriate (deb.d.o, wiki.d.o, www.d.o to name a few). Reco
Re: Accessing security.debian.org through https
On Sat, Apr 18, 2020 at 06:48:59PM +0100, André Rodier wrote: > Hello, > > I am investigating the option to enforce https access on my network, > and I am surprised I have no way to access security.debian.org. > > Is there any reason why https is not supported (yet?), especially with > lets-encrypt. > First, what problem are you trying to solve? What is your threat model? What vulnerability are you trying to address? Regards, -Roberto -- Roberto C. Sánchez
