Use apt-transport-https to protect against security issues in APT?

Update: this ticket has gone wild, and then has been focussed again. See comment 14 for a current summary, and next things to do.

Initial description follows.

For people who use apt-get in TAILS, like for adding packages to the persistent store, there can be a lot of metadata leaked to the internet when apt-get contacts Debian repositories using a default config. Mostly, that is because by default, the connects are unencrypted (http, ftp, rsync). Chance are that TAILS users using apt-get will each have a unique set of packages that they install, so that provides a unique fingerprint for that TAILS instance.

Luckily, there are some relatively easy steps that greatly reduce the amount of metadata that is leaked: using HTTPS connections to the mirrors, and setting apt-get to pipeline as many transactions into a given HTTPS session. The downside is that it is not common for Debian machines to connect to apt mirrors using HTTPS, so that potentially marks the install as a TAILS install. There are more and more HTTPS mirrors, and more interest in using them, so I think in time, that will only lessen as a concern.

On that note, here is the config that I have been using on a number of Debian-deriv machines, and it has been working well. It requires apt-transport-https.

$ cat /etc/apt/apt.conf.d/99force-tor
# force everything through privoxy HTTP proxy to tor
Acquire::ftp::Proxy "http://127.0.0.1:8118";
Acquire::http::Proxy "http://127.0.0.1:8118";
Acquire::https::Proxy "http://127.0.0.1:8118";

# re-use HTTPS connections to make profiling harder
Acquire::http::Pipeline-Depth "50";
Acquire::https::Pipeline-Depth "50";

Acquire::https::SslForceVersion "TLSv1";

I have found about 10 official Debian mirrors that have reliable HTTPS. Then I have a script that finds all of them (attached), but many have self-signed certs and other issues. A number of the HTTPS mirrors also mirror the “security” archive, but I recommend that the http URL to the official security.debian.org repo is still included to make sure that security updates are promptly available.

I also have a test security repo running that is only available via an .onion address. I hope to encourage people to run official mirrors on a Tor Hidden Service, then HTTPS is not needed. Note that apt-transport-tor is not required if a tor proxy is setup. To try mine, add it to your sources.list (and make sure apt-get is somehow using Tor). The order is important, that determines the priority of where apt-get will get the package from is all other variables are the same.

deb http://dju2peblv7upfz3q.onion/debian-security/ wheezy/updates main
deb http://security.debian.org/ wheezy/updates main

Attachments

find-https-debian-archives.py

Related issues

Related to #11556 (closed)
Related to #8192 (closed)

Original created by @hans on 8143 (Redmine)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information