During Jacob Applebaum's talk at DebConf15, he noted that Debian should TLS-enable all services, especially the mirrors.
His reasoning was that when a high-value target downloads a security update for package foo, an adversary knows that they are still using a vulnerable version of foo and try to attack before the security update has been installed.
In this specific case, TLS is not of much use though. If the target downloads 4.7 MiB right after a security update with 4.7 MiB has been released, or downloads from security.debian.org, it's still obvious what's happening. Even padding won't help much as the 5 MiB download will also be suspicious. The mere act of downloading anything from the mirrors after an update has been released is reason enough to try an attack.
The solution, is, of course, Tor.
weasel was nice enough to set up a hidden service on Debian's infrastructure; initally we agreed that he would just give me a VM and I would do the actual work, but he went the full way on his own. Thanks :) This service is not redundant, it uses a key which is stored on the local drive, the .onion will change, and things are expected to break.
But at least this service exists now and can be used, tested, and put under some load:
I couldn't get apt-get to be content with a .onion in
torify wrapper worked like a charm. What
follows is, to the best of my knowledge, the first ever download
from Debian's "official" Tor-enabled mirror:
~ # apt-get install torsocks ~ # mv /etc/apt/sources.list /etc/apt/sources.list.backup ~ # echo 'deb http://vwakviie2ienjx6t.onion/debian/ unstable main non-free contrib' > /etc/apt/sources.list ~ # torify apt-get update Get:1 http://vwakviie2ienjx6t.onion unstable InRelease [215 kB] Get:2 http://vwakviie2ienjx6t.onion unstable/main amd64 Packages [7548 kB] Get:3 http://vwakviie2ienjx6t.onion unstable/non-free amd64 Packages [91.9 kB] Get:4 http://vwakviie2ienjx6t.onion unstable/contrib amd64 Packages [58.5 kB] Get:5 http://vwakviie2ienjx6t.onion unstable/main i386 Packages [7541 kB] Get:6 http://vwakviie2ienjx6t.onion unstable/non-free i386 Packages [85.4 kB] Get:7 http://vwakviie2ienjx6t.onion unstable/contrib i386 Packages [58.1 kB] Get:8 http://vwakviie2ienjx6t.onion unstable/contrib Translation-en [45.7 kB] Get:9 http://vwakviie2ienjx6t.onion unstable/main Translation-en [5060 kB] Get:10 http://vwakviie2ienjx6t.onion unstable/non-free Translation-en [80.8 kB] Fetched 20.8 MB in 2min 0s (172 kB/s) Reading package lists... Done ~ # torify apt-get install vim Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: vim-common vim-nox vim-runtime vim-tiny Suggested packages: ctags vim-doc vim-scripts cscope indent The following packages will be upgraded: vim vim-common vim-nox vim-runtime vim-tiny 5 upgraded, 0 newly installed, 0 to remove and 661 not upgraded. Need to get 0 B/7719 kB of archives. After this operation, 2048 B disk space will be freed. Do you want to continue? [Y/n] Retrieving bug reports... Done Parsing Found/Fixed information... Done Reading changelogs... Done (Reading database ... 316427 files and directories currently installed.) Preparing to unpack .../vim-nox_2%3a7.4.826-1_amd64.deb ... Unpacking vim-nox (2:7.4.826-1) over (2:7.4.712-3) ... Preparing to unpack .../vim_2%3a7.4.826-1_amd64.deb ... Unpacking vim (2:7.4.826-1) over (2:7.4.712-3) ... Preparing to unpack .../vim-tiny_2%3a7.4.826-1_amd64.deb ... Unpacking vim-tiny (2:7.4.826-1) over (2:7.4.712-3) ... Preparing to unpack .../vim-runtime_2%3a7.4.826-1_all.deb ... Unpacking vim-runtime (2:7.4.826-1) over (2:7.4.712-3) ... Preparing to unpack .../vim-common_2%3a7.4.826-1_amd64.deb ... Unpacking vim-common (2:7.4.826-1) over (2:7.4.712-3) ... Processing triggers for man-db (18.104.22.168-5) ... Processing triggers for mime-support (3.58) ... Processing triggers for desktop-file-utils (0.22-1) ... Processing triggers for hicolor-icon-theme (0.13-1) ... Setting up vim-common (2:7.4.826-1) ... Setting up vim-runtime (2:7.4.826-1) ... Processing /usr/share/vim/addons/doc Setting up vim-nox (2:7.4.826-1) ... Setting up vim (2:7.4.826-1) ... Setting up vim-tiny (2:7.4.826-1) ... ~ #
More services will follow. noodles, weasel, and me agreed that the project as a whole should aim to Tor-enable the complete package lifecycle, package information, and the website.
Maybe a more secure install option on the official images which, amongst others, sets up apt, apt-listbugs, dput, reportbug, et al up to use Tor without further configuration could even be a realistic stretch goal.