On Wed, Dec 08, 2021 at 09:44:19PM +0100, Hans-Christoph Steiner wrote: > > Package: apt > Version: 2.3.13 > Severity: wishlist > > apt should pad its TLS connections to obscure the size of the downloaded > files from network observers. Right now, an attacker could build an index > of all package sizes, then track the size of HTTPS streams to Debian > mirrors, and from that, be able to identify most of the packages being > downloaded over HTTPS.
TLS record padding does not help with that. First of all, we pipeline all our requests; secondly, we'd not be padding to the extent that this would hide things (think pad everything to 1MB); third, security updates are updated quickly, it's unlikely you'd be unable to identify them. In fact, what you want to do is identify which security updates have not been applied, and you can just track last conversation with security.d.o for that :) So in summary, I don't think it's relevant for us > TLSv1.3 added the possibility to add padding TLS connections: > https://tools.ietf.org/id/draft-ietf-tls-tls13-21.html#rfc.section.5.4 > > GnuTLS already supports it: > https://www.gnutls.org/manual/gnutls.html#On-Record-Padding > You should find out the OpenSSL API for it, GnuTLS will be on its way out next year. -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en
