On Mon, Oct 24, 2016 at 1:59 AM, Adrian Bunk <b...@stusta.de> wrote: > It is a common misconception that https could help against these kinds > of attacks. > > https is an improvement over http and it would be good if Debian could > switch to https by default in stretch, but for the problem you are > talking about it does not really make a difference. > > https can obfuscate the traffic enough that a casual observer > has problems determining what exactly is being transferred. > > If someone like the NSA is analyzing all your traffic, then the > information when and how much data gets transferred should be > sufficient to deduce exactly the information you are worried about.
The point is to make passive analysis more costly to do so. If they have to assign a probability and it takes exponentially more resources than simply "save PCAP to disk", then HTTPS has improved the situation. And again, HTTP/2 can also help to obscure that analysis. Right now, I only see three Debian mirrors that support HTTP/2 and they are all in Chinese-speaking locales. mirrors.tuna.tsinghua.edu.cn mirrors.ustc.edu.cn shadow.ind.ntou.edu.tw > apt-transport-tor is the only option that has a realistic chance of > helping you, unless you want to run a mirror of Debian in your network. > Anyone who is seriously worried about these issues and has a clue about > security will end up doing something like that. Yes and it is the default in Tails OS. However, it would be prudent to include a secure default option for everyone else that utilizes Debian in the future. > For the kind of attacks you are describing, https is just snake oil. Profusely disagree and so do other members of this list. I'll leave it at that, but also I should point out that your email is being routed insecurely via welho.com and lacks TLS in transit, so I also probably shouldn't consider your TLS knowledge very highly... -- Regards, Kristian Erik Hermansen https://www.linkedin.com/in/kristianhermansen
