Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Monday September 07 2015, @01:51AM   Printer-friendly
from the in-tor-no-one-can-see-you-download dept.

"Richard Hartmann, Peter Palfrader, and Jonathan McDowell have set up the first official onion service mirrors of the Debian operating system's software package infrastructure. This means that it is now possible to update your Debian system without the update information or downloaded packages leaving the Tor network at all, preventing a network adversary from discovering information about your system. A follow-up post by Richard includes guidance on using apt-transport-tor with the new mirrors.

These services are only the first in what should hopefully become a fully Tor-enabled system mirroring "the complete package lifecycle, package information, and the website". "This service is not redundant, it uses a key which is stored on the local drive, the .onion will change, and things are expected to break", wrote Richard, but if you are interested in trying out the new infrastructure, see the write-ups for further information."

This was orignially found at Blog.TorProject.org


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Informative) by Anonymous Coward on Monday September 07 2015, @11:18PM

    by Anonymous Coward on Monday September 07 2015, @11:18PM (#233512)

    The first post explains the use-case:

    During Jacob Applebaum's talk at DebConf15, he noted that Debian should TLS-enable all services, especially the mirrors.

    His reasoning was that when a high-value target downloads a security update for package foo, an adversary knows that they are still using a vulnerable version of foo and try to attack before the security update has been installed.

    In this specific case, TLS is not of much use though. If the target downloads 4.7 MiB right after a security update with 4.7 MiB has been released, or downloads from security.debian.org, it's still obvious what's happening. Even padding won't help much as the 5 MiB download will also be suspicious. The mere act of downloading anything from the mirrors after an update has been released is reason enough to try an attack.

    The solution, is, of course, Tor.

    - richardhartmann.de/ blog/ posts/ 2015/ 08/ Tor-enabled Debian mirror [richardhartmann.de]

    Essentially, if you are acting a a relay, that can mask the fact that you are running an important security update. To be honest, I was not aware of the attack scenario mentioned.

    Starting Score:    0  points
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  

    Total Score:   1