[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#29046] [PATCH] gnu: linux-libre: Change URL to HTTPS.
|
From: |
Ludovic Courtès |
|
Subject: |
[bug#29046] [PATCH] gnu: linux-libre: Change URL to HTTPS. |
|
Date: |
Tue, 07 Nov 2017 22:12:31 +0100 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) |
Mark H Weaver <address@hidden> skribis:
> Is an active attack needed to determine which file we are downloading
> from linux-libre.fsfla.org? I think not. The IP address of that host
> reverse resolves to "linux-libre.fsfla.org", which makes it obvious.
> The title of the paper Ludovic cited above makes the point:
>
> I Know Why You Went to the Clinic
>
> or in this case:
>
> I know why you downloaded 97 megabytes from linux-libre.fsfla.org.
>
> Unless I'm mistaken, using TLS does *not* foil passive surveillance for
> source downloads in the overwhelming majority of cases, and especially
> not in this case. Even at web sites that serve a larger variety of
> software, determining what was downloaded by the amount of data
> transferred does not require an active attack.
You’re right, though it’s already more work for github.com (11% of our
packages) or PyPI (17% of our packages).
This discussion is also interesting in the context of
<https://bugs.gnu.org/28659>, where one of the options discussed would
be to favor content-addressable mirrors over upstream sites.
Ludo’.