--- /dev/null
+Title: Always download Debian packages using Tor - the simple recipe
+Tags: english, debian, sikkerhet
+Date: 2016-01-15 00:30
+
+<p>During his DebConf15 keynote, Jacob Applebaum
+<a href="https://summit.debconf.org/debconf15/meeting/331/what-is-to-be-done/">observed
+that those listening on the Internet lines would have good reason to
+believe a computer have a given security hole</a> if it download a
+security fix from a Debian mirror. This is a good reason to always
+use encrypted connections to the Debian mirror, to make sure those
+listening do not know which IP address to attack. In August, Richard
+Hartmann observed that encryption was not enough, when it was possible
+to interfere download size to security patches or the fact that
+download took place shortly after a security fix was released, and
+<a href="http://richardhartmann.de/blog/posts/2015/08/24-Tor-enabled_Debian_mirror/">proposed
+to always use Tor to download packages from the Debian mirror</a>. He
+was not the first to propose this, as the <tt>apt-transport-tor</tt>
+package by Tim Retout already existed to make it easy to convince apt
+to use <a href="https://www.torproject.org/">Tor</a>, but I was not
+aware of that package when I read the blog post from Richard.</p>
+
+<p>Richard discussed the idea with Peter Palfrader, one of the Debian
+sysadmins, and he set up a Tor hidden service on one of the central
+Debian mirrors using the address vwakviie2ienjx6t.onion, thus making
+it possible to download packages directly between two tor nodes,
+making sure the network traffic always were encrypted.</p>
+
+<p>Here is a short recipe for enabling this on your machine, by
+installing <tt>apt-transport-tor</tt> and replacing http and https
+urls with tor+http and https, and using the hidden service instead of
+the official Debian mirror site. I recommend installing
+<tt>etckeeper</tt> before you start to have a history of the changes
+done in /etc/.</p>
+
+<blockquote><pre>
+apt install apt-transport-tor
+sed -i 's% http://ftp.debian.org/%tor+http://vwakviie2ienjx6t.onion/%' /etc/apt/sources.list
+sed -i 's% http% tor+http%' /etc/apt/sources.list
+</pre></blockquote>
+
+<p>If you have more sources listed in /etc/apt/sources.list.d/, run
+the sed commands for these too. The sed command is assuming your are
+using the ftp.debian.org Debian mirror. Adjust the command (or just
+edit the file manually) to match your mirror.</p>
+
+<p>This work in Debian Jessie and later. Note that tools like
+<tt>apt-file</tt> only recently started using the apt transport
+system, and do not work with these tor+http URLs. For
+<tt>apt-file</tt> you need the version currently in experimental,
+which need a recent apt version currently only in unstable. So if you
+need a working <tt>apt-file</tt>, this is not for you.</p>
+
+<p>Another advantage from this change is that your machine will start
+using Tor regularly and at fairly random intervals (every time you
+update the package lists or upgrade or install a new package), thus
+masking other Tor traffic done from the same machine. Using Tor will
+become normal for the machine in question.</p>
+
+<p>On <a href="https://wiki.debian.org/FreedomBox">Freedombox</a>, APT
+is set up by deafult to use <tt>apt-transport-tor</tt> when Tor is
+enabled. It would be great if it was the default on any Debian
+system.</p>
projects / homepage.git / commitdiff