[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Tor Browser Launcher



You can't even download Ubuntu off Ubuntu.com via SSL. Only HTTP.

On 02/19/2013 01:06 AM, adrelanos wrote:
> Leo Unglaub:
>> Hey,
>>
>> On 2013-02-18 18:33, adrelanos wrote:
>>> Right, for such users it wouldn't work anyway, because downloading
>>> Tor Browser Launcher from the repository is unencrypted (but
>>> signed) anyway.
>>
>> thats not 100% correct. You can use transport encryption (HTTPS) for
>> the repository servers. You simply need to change your source.list to
>> use https.
> 
> Just checked again. Even if apt-transport-https is installed.
> 
> # working
> deb http://security.debian.org/ wheezy/updates main contrib non-free
> deb http://ftp.us.debian.org/debian wheezy main contrib non-free
> 
> # not working
> deb https://security.debian.org/ wheezy/updates main contrib non-free
> deb https://ftp.us.debian.org/debian wheezy main contrib non-free
> 
> After the package managers have adapted to the TUF threat model,
> motivation is low for providing https mirrors. According the the older
> TUF papers only commercial linux distribution have SSL repositories.
> With known filesizes, the motivation could be running your own
> repository with proprietary software or distributing test/unsigned
> packages for testing on your distant test servers or such use cases.
> Debian / Ubuntu folks don't seem to be interested in https mirrors.
> _______________________________________________
> tor-dev mailing list
> tor-dev@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
> 
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev