From c8e6c1eb696a2abbd32c4d6033d127296ee850d7 Mon Sep 17 00:00:00 2001 From: Petter Reinholdtsen Date: Fri, 15 Jan 2016 00:31:30 +0100 Subject: [PATCH] New post. --- blog/data/2016-01-15-apt-tor.txt | 62 ++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 blog/data/2016-01-15-apt-tor.txt diff --git a/blog/data/2016-01-15-apt-tor.txt b/blog/data/2016-01-15-apt-tor.txt new file mode 100644 index 0000000000..042f2cf3df --- /dev/null +++ b/blog/data/2016-01-15-apt-tor.txt @@ -0,0 +1,62 @@ +Title: Always download Debian packages using Tor - the simple recipe +Tags: english, debian, sikkerhet +Date: 2016-01-15 00:30 + +

During his DebConf15 keynote, Jacob Applebaum +observed +that those listening on the Internet lines would have good reason to +believe a computer have a given security hole if it download a +security fix from a Debian mirror. This is a good reason to always +use encrypted connections to the Debian mirror, to make sure those +listening do not know which IP address to attack. In August, Richard +Hartmann observed that encryption was not enough, when it was possible +to interfere download size to security patches or the fact that +download took place shortly after a security fix was released, and +proposed +to always use Tor to download packages from the Debian mirror. He +was not the first to propose this, as the apt-transport-tor +package by Tim Retout already existed to make it easy to convince apt +to use Tor, but I was not +aware of that package when I read the blog post from Richard.

+ +

Richard discussed the idea with Peter Palfrader, one of the Debian +sysadmins, and he set up a Tor hidden service on one of the central +Debian mirrors using the address vwakviie2ienjx6t.onion, thus making +it possible to download packages directly between two tor nodes, +making sure the network traffic always were encrypted.

+ +

Here is a short recipe for enabling this on your machine, by +installing apt-transport-tor and replacing http and https +urls with tor+http and https, and using the hidden service instead of +the official Debian mirror site. I recommend installing +etckeeper before you start to have a history of the changes +done in /etc/.

+ +
+apt install apt-transport-tor
+sed -i 's% http://ftp.debian.org/%tor+http://vwakviie2ienjx6t.onion/%' /etc/apt/sources.list
+sed -i 's% http% tor+http%' /etc/apt/sources.list
+
+ +

If you have more sources listed in /etc/apt/sources.list.d/, run +the sed commands for these too. The sed command is assuming your are +using the ftp.debian.org Debian mirror. Adjust the command (or just +edit the file manually) to match your mirror.

+ +

This work in Debian Jessie and later. Note that tools like +apt-file only recently started using the apt transport +system, and do not work with these tor+http URLs. For +apt-file you need the version currently in experimental, +which need a recent apt version currently only in unstable. So if you +need a working apt-file, this is not for you.

+ +

Another advantage from this change is that your machine will start +using Tor regularly and at fairly random intervals (every time you +update the package lists or upgrade or install a new package), thus +masking other Tor traffic done from the same machine. Using Tor will +become normal for the machine in question.

+ +

On Freedombox, APT +is set up by deafult to use apt-transport-tor when Tor is +enabled. It would be great if it was the default on any Debian +system.

-- 2.47.2