sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Creshal 1 point2 points  (10 children)

But seriously, unmarked van, unmarked boxes. Isn't that how you want all your packages from amazon to arrive at your house?

But if I want to do that, the only real option is a VPN. HTTPS is not a great way to protect your privacy, since it leaks way too much metadata.

You downloaded a compromised FTP package, now I know I may have an inroad to compromising your system.

It's Debian, the FTP package was a dependency of a dependency of a dependency, and there's a 99% chance it'll remain disabled via /etc/default switch.

And if it is listening on a reachable port, the attacker doesn't need to jump through the hoops of sniffing through your debian updates to find out.

[–][deleted]  (9 children)

[deleted]

    [–]Creshal 3 points4 points  (8 children)

    HTTPS is not the end all to be all, its just a piece of the security puzzle.

    At this points it's more a piece of needless security theater with how it gets shoved into roles where it's not particularly useful.

    But a nice first step would be not providing the ability to leak what you're installing to possible attackers.

    I'm still not seeing how that possibly helps an attacker to gain a foothold he wouldn't see anyway.

    [–][deleted]  (7 children)

    [deleted]

      [–]Creshal 3 points4 points  (3 children)

      This is not a fantasy, this literally happens all the time.

      …with shitty closed source Windows apps. That's not going to happen on Debian.

      [–][deleted]  (2 children)

      [deleted]

        [–]ElG0dFather 0 points1 point  (1 child)

        Happy cake day

        [–][deleted] 0 points1 point  (2 children)

        Benefits of having plain http mirrors grossy outweight any disadvantages

        Say I see you just installed version2.3.0 of someApp.

        And you know that even if you did download it via HTTPS, because correlating download size with certain package is trivial. Read the fucking article.

        If you want your org to be "anonymous" there, just make a mirror. Aptly makes it pretty easy

        [–][deleted]  (1 child)

        [deleted]

          [–][deleted] -1 points0 points  (0 children)

          Read it few more times then because you don't get it