WingNews logo WingNews
top | item 20294974

(no title)

ggg2 | 6 years ago

hiding packages you have installed from your ISP/NSA/etc.

this discussion comes up time and time again (in rpm, apt et al). the consensus is: if you need that extra feature, manually download sensitive packages via ssl or something. everyone else (with nothing to hide, heh) keeps benefiting from a global cache of unencrypted transport of (mostly) open source data.

discuss

order

BuildTheRobots|6 years ago

Transport security & confidentiality makes sense (though at first I was trying to work out how an encrypted yum package would work).

Yum with CentOS 6 and above does support SSL for mirror sites and a handful of global mirrors also support it (HEG being one).

I suppose there's a slight race condition (eg how do I update the CA-Certificates bundle when I need the new CA-Certificates bundle to connect to the mirror site to download the update), however I tend to agree there should be some privacy as default.

solatic|6 years ago

As pwnna pointed out, package size gives you away.

The real way to protect against this, if it's genuinely part of your threat model, is to maintain a complete local mirror: you can't tell what is installed and at what versions if you simply download everything.

And if it's actually part of your threat model, then you likely have a large enough install base that you need a local mirror for performance/non-security reasons anyway. So it's really a non-issue.

ses1984|6 years ago

You can cache things that are encrypted too, or do you think drm protected Netflix videos are all streamed from the origin? Yeah it's a bit more complicated...

forgottenpass|6 years ago

If by "origin" you mean "box Netflix has root on"... yes, I do think that?

rhinoceraptor|6 years ago

Netflix runs a fleet of their own CDN boxes, that they put in ISP data centers.

eeZah7Ux|6 years ago

The combination of IP addresses and package sizes is way too revealing. That's why APT supports Tor as a transport protocol.

pwnna|6 years ago

Does that help? I thought the package size is quite revealing.

isostatic|6 years ago

In some cases (although the server could presumably send some random length data headers if that's a concern), but if you download multiple packages on a single connection can it still be tracked?