Use apt-transport-https to protect against security issues in APT?
Update: this ticket has gone wild, and then has been focussed again. See comment 14 for a current summary, and next things to do.
Initial description follows.
For people who use
apt-get in TAILS, like for adding packages to the
persistent store, there can be a lot of metadata leaked to the internet
apt-get contacts Debian repositories using a default config.
Mostly, that is because by default, the connects are unencrypted (http,
ftp, rsync). Chance are that TAILS users using
apt-get will each have
a unique set of packages that they install, so that provides a unique
fingerprint for that TAILS instance.
Luckily, there are some relatively easy steps that greatly reduce the
amount of metadata that is leaked: using HTTPS connections to the
mirrors, and setting
apt-get to pipeline as many transactions into a
given HTTPS session. The downside is that it is not common for Debian
machines to connect to apt mirrors using HTTPS, so that potentially
marks the install as a TAILS install. There are more and more HTTPS
mirrors, and more interest in using them, so I think in time, that will
only lessen as a concern.
On that note, here is the config that I have been using on a number of
Debian-deriv machines, and it has been working well. It requires
$ cat /etc/apt/apt.conf.d/99force-tor # force everything through privoxy HTTP proxy to tor Acquire::ftp::Proxy "http://127.0.0.1:8118"; Acquire::http::Proxy "http://127.0.0.1:8118"; Acquire::https::Proxy "http://127.0.0.1:8118"; # re-use HTTPS connections to make profiling harder Acquire::http::Pipeline-Depth "50"; Acquire::https::Pipeline-Depth "50"; Acquire::https::SslForceVersion "TLSv1";
I have found about 10 official Debian mirrors that have reliable HTTPS.
Then I have a script that finds all of them (attached), but many have
self-signed certs and other issues. A number of the HTTPS mirrors also
mirror the “security” archive, but I recommend that the
http URL to
security.debian.org repo is still included to make sure
that security updates are promptly available.
I also have a test security repo running that is only available via an
.onion address. I hope to encourage people to run official mirrors on a
Tor Hidden Service, then HTTPS is not needed. Note that
apt-transport-tor is not required if a tor proxy is setup. To try
mine, add it to your
sources.list (and make sure
apt-get is somehow
using Tor). The order is important, that determines the priority of
apt-get will get the package from is all other variables are the
deb http://dju2peblv7upfz3q.onion/debian-security/ wheezy/updates main deb http://security.debian.org/ wheezy/updates main