On Sun, Oct 23, 2016 at 06:04:50AM -0700, Kristian Erik Hermansen wrote: >... > The main issue is that a well positioned attacker, such as the NSA or > Chinese router admins, have the ability to collect and analyze in > real-time what systems have installed what patches installed by > monitoring the historical / real-time patch requests downloaded to > Debian systems. >...
It is a common misconception that https could help against these kinds of attacks. https is an improvement over http and it would be good if Debian could switch to https by default in stretch, but for the problem you are talking about it does not really make a difference. https can obfuscate the traffic enough that a casual observer has problems determining what exactly is being transferred. If someone like the NSA is analyzing all your traffic, then the information when and how much data gets transferred should be sufficient to deduce exactly the information you are worried about. apt-transport-tor is the only option that has a realistic chance of helping you, unless you want to run a mirror of Debian in your network. Anyone who is seriously worried about these issues and has a clue about security will end up doing something like that. For the kind of attacks you are describing, https is just snake oil. > Regards, cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed