guix-patches
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#29046] [PATCH] gnu: linux-libre: Change URL to HTTPS.

From: Mark H Weaver
Subject: [bug#29046] [PATCH] gnu: linux-libre: Change URL to HTTPS.
Date: Tue, 07 Nov 2017 14:05:24 -0500
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) 
Hi,

address@hidden (Ludovic Courtès) writes:

> Leo Famulari <address@hidden> skribis:
>
>> On Mon, Oct 30, 2017 at 03:14:10PM -0400, Mark H Weaver wrote:
>>> I'm not strongly opposed to it, but in general, I'm not sure I
>>> understand the rationale for changing source URLs to use HTTPS.  We
>>> already verify the authenticity of the downloaded file by SHA256 hash,
>>> and verify the GPG signature when updating to a new version.  Both of
>>> these are far stronger than HTTPS, which in practice can be subverted by
>>> compromising *any* certificate authority listed in our trust database
>>> (in Mozilla NSS).
>>>
>>> HTTPS also fails to hide from an evesdropper which file was downloaded,
>>> because in practice that can be determined by the amount of data
>>> transferred.
>>> 
>>> So, unless I'm mistaken, HTTPS doesn't provide any benefit to us here.
>>> On the other hand, using HTTPS entails using more complex code to
>>> download the files, which exposes a much larger attack surface that
>>> might be exploited to compromise our systems.  Many security flaws have
>>> been uncovered in TLS libraries over the years.  Using HTTPS also adds
>>> more load on the server.
>>> 
>>> In summary, I'm mildly opposed to this change, but if I've made a
>>> mistake in my reasoning here, or if other people feel strongly, I'm okay
>>> either way.
>>> 
>>> What do you think?
>
> I very much sympathize with everything you wrote.  Regarding
> eavesdropping (which to me is the main reason to change to HTTPS in this
> context), the “bicycle attack” kinda confirms that HTTPS is not so good
> at protecting from eavesdropping: <http://arxiv.org/pdf/1403.0297.pdf>.
>
> However, it remains a relatively elaborate attack: I can trivially see
> what you are getting over HTTP, and I would have to target you and be
> fairly determined to analyze your HTTPS traffic.  So overall, I still
> think that HTTPS improves privacy, even if we must be aware of its
> limitation.
>
>> It's true that, in this case, an active attacker could probably learn
>> which file you are downloading. But using TLS would foil passive
>> surveillance, which is probably widespread.
>
> +1

Is an active attack needed to determine which file we are downloading
from linux-libre.fsfla.org?  I think not.  The IP address of that host
reverse resolves to "linux-libre.fsfla.org", which makes it obvious.
The title of the paper Ludovic cited above makes the point:

  I Know Why You Went to the Clinic

or in this case:

  I know why you downloaded 97 megabytes from linux-libre.fsfla.org.

Unless I'm mistaken, using TLS does *not* foil passive surveillance for
source downloads in the overwhelming majority of cases, and especially
not in this case.  Even at web sites that serve a larger variety of
software, determining what was downloaded by the amount of data
transferred does not require an active attack.

Anyway, having said this, if using HTTPS for linux-libre downloads makes
you sleep better at night, I'm okay with it.

     Regards,
       Mark
reply via email to
[Prev in Thread] Current Thread [Next in Thread]