Tor-enabled Debian mirror part 2

Well, that was quite some feedback to my last post; via blog, email, irc, and in person. I actually think this may be the most feedback I ever got to any single blog post. If you are still waiting for a reply after this new post, I will get back to you. To handle common question/information at once: It was the first download from an official Tor-enabled mirror; I know people downloaded updates via Tor before Yes, having this in the Debian installer as an option would be very nice Yes, there are ways to load balance Tor hidden services these days and the pre-requisites are being worked on already Yes, that load balanced setup will support hardware key tokens A natively hidden service is more secure than accessing a non-hidden service via Tor because there is no way for a third-party exit node to mess with your traffic apt-get etc will leak information about your architecture, release, suites, desired packages, and package versions.
Read more...

Tor-enabled Debian mirror

During Jacob Applebaum’s talk at DebConf15, he noted that Debian should TLS-enable all services, especially the mirrors. His reasoning was that when a high-value target downloads a security update for package foo, an adversary knows that they are still using a vulnerable version of foo and try to attack before the security update has been installed. In this specific case, TLS is not of much use though. If the target downloads 4.
Read more...