[guardian-dev] making Debian's software updates more private

Hans-Christoph Steiner hans at guardianproject.info
Mon Jul 14 12:15:25 EDT 2014


To proxy all apt/package downloads via Tor, I added this to /etc/apt/apt.conf,
which is similar:

Acquire::socks::Proxy "socks://127.0.0.1:9050";

apt used to enable HTTP pipelining, meaning apt would make multiple HTTP
requests over a single TCP connection, rather than recreating the TCP socket
on each HTTP request. HTTP pipelining is useful for privacy, since it makes
the traffic harder to profile.  Unfortunately, recently HTTP pipelining was
recently disabled by default.  It can be reenabled for https using:

Acquire::https::Pipeline-Depth "10";

I'm currently trying out this as my current setup in /etc/apt/apt.conf:

Acquire::socks::Proxy "socks://127.0.0.1:9050";
Acquire::https::SslForceVersion "TLSv1";
Acquire::http::Pipeline-Depth "20";
Acquire::https::Pipeline-Depth "20";

As for using an onion address, if the Tor Hidden Service has been properly
setup (i.e. it redirects to localhost not a different machine), then the onion
address provides point-to-point encryption like HTTPS.  That means at no point
is your apt traffic visible to a network observer.

.hc

On 07/13/2014 02:16 AM, shmick at riseup.net wrote:
> you could also add this to 70debconf and update over Tor
> 
> Acquire::http::Proxy "http://localhost:8118";
> Acquire::https::SslForceVersion "TLSv1";
> 
> 
> 
> Hans-Christoph Steiner:
>>
>> A few of us have been trying to figure out how to improve Debian's software
>> distribution so that the software that people are using remains more private
>> and difficult to snoop on a mass scale.
>>
>> You can follow the discussions here:
>> * https://bugs.debian.org/750522
>> * https://lists.debian.org/debian-security/2014/07/msg00002.html
>> * https://lists.debian.org/debian-security/2014/07/msg00022.html
>>
>> I'm trying to practice what I preach here, so I set up my very first debian
>> mirror.  It is hosted on my home connection, so be gentle.  It is only
>> debian-security for amd64 and i386:
>>
>> deb http://dju2peblv7upfz3q.onion/debian-security/ wheezy/updates main
>>
>> or
>>
>> deb http://dju2peblv7upfz3q.onion/debian-security/ squeeze/updates main
>>
>> This is a test repo, so be sure to keep a real debian-security mirror in your
>> sources.list!  Just put it after the above line, and apt-get will prefer the
>> tor hidden service, but still get the latest updates available from
>> debian-security.
>>
>> .hc
>>
>>
>>
>> _______________________________________________
>> Guardian-dev mailing list
>>
>> Post: Guardian-dev at lists.mayfirst.org
>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>
>> To Unsubscribe
>>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>>         Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/shmick%40riseup.net
>>
>> You are subscribed as: shmick at riseup.net
>>
> _______________________________________________
> Guardian-dev mailing list
> 
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> 
> To Unsubscribe
>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>         Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info
> 
> You are subscribed as: hans at guardianproject.info
> 

-- 
PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81


More information about the Guardian-dev mailing list