Use apt-transport-https to protect against security issues in APT?
Update: this ticket has gone wild, and then has been focussed again. See comment 14 for a current summary, and next things to do.
Initial description follows.
For people who use apt-get
in TAILS, like for adding packages to the
persistent store, there can be a lot of metadata leaked to the internet
when apt-get
contacts Debian repositories using a default config.
Mostly, that is because by default, the connects are unencrypted (http,
ftp, rsync). Chance are that TAILS users using apt-get
will each have
a unique set of packages that they install, so that provides a unique
fingerprint for that TAILS instance.
Luckily, there are some relatively easy steps that greatly reduce the
amount of metadata that is leaked: using HTTPS connections to the
mirrors, and setting apt-get
to pipeline as many transactions into a
given HTTPS session. The downside is that it is not common for Debian
machines to connect to apt mirrors using HTTPS, so that potentially
marks the install as a TAILS install. There are more and more HTTPS
mirrors, and more interest in using them, so I think in time, that will
only lessen as a concern.
On that note, here is the config that I have been using on a number of
Debian-deriv machines, and it has been working well. It requires
apt-transport-https
.
$ cat /etc/apt/apt.conf.d/99force-tor
# force everything through privoxy HTTP proxy to tor
Acquire::ftp::Proxy "http://127.0.0.1:8118";
Acquire::http::Proxy "http://127.0.0.1:8118";
Acquire::https::Proxy "http://127.0.0.1:8118";
# re-use HTTPS connections to make profiling harder
Acquire::http::Pipeline-Depth "50";
Acquire::https::Pipeline-Depth "50";
Acquire::https::SslForceVersion "TLSv1";
I have found about 10 official Debian mirrors that have reliable HTTPS.
Then I have a script that finds all of them (attached), but many have
self-signed certs and other issues. A number of the HTTPS mirrors also
mirror the “security” archive, but I recommend that the http
URL to
the official security.debian.org
repo is still included to make sure
that security updates are promptly available.
I also have a test security repo running that is only available via an
.onion address. I hope to encourage people to run official mirrors on a
Tor Hidden Service, then HTTPS is not needed. Note that
apt-transport-tor
is not required if a tor proxy is setup. To try
mine, add it to your sources.list
(and make sure apt-get
is somehow
using Tor). The order is important, that determines the priority of
where apt-get
will get the package from is all other variables are the
same.
deb http://dju2peblv7upfz3q.onion/debian-security/ wheezy/updates main
deb http://security.debian.org/ wheezy/updates main
Attachments
Related issues
- Related to #11556 (closed)
- Related to #8192 (closed)
Original created by @hans on 8143 (Redmine)