[tor-dev] Tor Browser Launcher
Douglas Lucas
dal at riseup.net
Tue Feb 19 07:31:00 UTC 2013
You can't even download Ubuntu off Ubuntu.com via SSL. Only HTTP.
On 02/19/2013 01:06 AM, adrelanos wrote:
> Leo Unglaub:
>> Hey,
>>
>> On 2013-02-18 18:33, adrelanos wrote:
>>> Right, for such users it wouldn't work anyway, because downloading
>>> Tor Browser Launcher from the repository is unencrypted (but
>>> signed) anyway.
>>
>> thats not 100% correct. You can use transport encryption (HTTPS) for
>> the repository servers. You simply need to change your source.list to
>> use https.
>
> Just checked again. Even if apt-transport-https is installed.
>
> # working
> deb http://security.debian.org/ wheezy/updates main contrib non-free
> deb http://ftp.us.debian.org/debian wheezy main contrib non-free
>
> # not working
> deb https://security.debian.org/ wheezy/updates main contrib non-free
> deb https://ftp.us.debian.org/debian wheezy main contrib non-free
>
> After the package managers have adapted to the TUF threat model,
> motivation is low for providing https mirrors. According the the older
> TUF papers only commercial linux distribution have SSL repositories.
> With known filesizes, the motivation could be running your own
> repository with proprietary software or distributing test/unsigned
> packages for testing on your distant test servers or such use cases.
> Debian / Ubuntu folks don't seem to be interested in https mirrors.
> _______________________________________________
> tor-dev mailing list
> tor-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
>
More information about the tor-dev
mailing list