Draft proposal for Debian

Draft:

Please criticize and contribute to the following:

Objectives:

1. The Debian community must immediately deploy Onion Service repositories for Debian downloads and Debian updates.

2. The Debian community must immediately deploy TLS-only repositories for Debian downloads and Debian updates as a backup to Onion Services.

3. The Debian community must assure anonymity-by-default with the employment of apt-transport-tor by changing existing update mechanics.

4. The Debian community must deploy a critical security update to patch existing update mechanics to use Onion Services.

Summary:

Current and future network adversaries can view and retain which repositories Debian servers connect to (metadata), when (metadata), the updates schedule (information), which updates are being applied (information), and into which operating system (information). This is incredibly valuable information for any adversary wanting to perform minimal attacks against Debian servers. Further, with cheapening data retention, mass-hacking and nation-state dominance is supported by the Debian community’s short-sighted update mechanics.

Edward Snowden has given the world factual evidence describing the capabilities and objectives of global powers and the Debian community has willfully neglected these problems.

Arguments:

Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, David Kaye — Presented to the Human Rights Council in May 2015:

(2)(A)(9) “Notably, encryption protects the content of communications but not identifying factors such as the Internet Protocol (IP) address, known as metadata. Third parties may gather significant information concerning an individual’s identity through metadata analysis if the user does not employ anonymity tools. Anonymity is the condition of avoiding identification. A common human desire to protect one’s identity from the crowd, anonymity may liberate a user to explore and impart ideas and opinions more than she would using her actual identity. […] Users seeking to ensure full anonymity or mask their identity (such as hiding the original IP address) against State or criminal intrusion may use tools such as virtual private networks (VPNs), proxy services, anonymizing networks and software, and peer-to-peer networks.1 One well-known anonymity tool, the Tor network, deploys more than 6,000 decentralized computer servers around the world to receive and relay data multiple times so as to hide identifying information about the end points, creating strong anonymity for its users.”

Debian powers more than one-third of the Internet. The default behavior of Debian is to obtain updates via clear-text HTTP which discloses the following to any network adversary:

1. Server location via IP address
2. Update server via IP address and DNS resolution
3. Server update schedule
4. Server version
5. Application version

This information, via network analysis, would allow any passive or active adversary to plan effective attacks against any Debian server.

Not all adversaries are the same because not all servers have the same risk. Like people, data mining and data retention capabilities pose grave risks for infrastructure. HTTPS may resolve some of the above information leakage depending on an adversary’s capabilities, but Tor resolves them to a greater degree. Anonymity provides the strongest security and is the only acceptably secure option given the facts.

XKEYSCORE, a FVEY technology, is one example of a modern threat to Internet infrastructure. Via Wikipedia:

On January 26, 2014, the German broadcaster Norddeutscher Rundfunk asked Edward Snowden in its TV interview: “What could you do if you would [sic] use XKeyscore?” and he answered:

“You could read anyone’s email in the world, anybody you’ve got an email address for. Any website: You can watch traffic to and from it. Any computer that an individual sits at: You can watch it. Any laptop that you’re tracking: you can follow it as it moves from place to place throughout the world. It’s a one-stop-shop for access to the NSA’s information.

You can tag individuals… Let’s say you work at a major German corporation and I want access to that network, I can track your username on a website on a form somewhere, I can track your real name, I can track associations with your friends and I can build what’s called a fingerprint, which is network activity unique to you, which means anywhere you go in the world, anywhere you try to sort of hide your online presence, your identity.”

The question posed to Edward Snowden was rightly focused on people. However, an XKEYSCORE-like system can trivially threaten any node on the Internet. If XKEYSCORE-like systems can be programmed to track nations, servers, or application installations, the Debian community must act.

Scenarios:

1. Debian server > https://update-server.onion

In scenario 1, operating system and application updates are obtained exclusively within the Tor network with an added layer of Certificate Authority validation ability. HTTP-based Certificate Authority, Domain Name System, and Border Gateway Protocol vulnerabilities do not exist.

2. Debian server > http://update-server.onion

In scenario 2, operating system and application updates are obtained exclusively within the Tor network. HTTP-based Certificate Authority, Domain Name System, and Border Gateway Protocol vulnerabilities do not exist.

3. Debian server > tor+https://update-server.org

In scenario 3, operating system and application updates are obtained via Tor but must leave the Tor network to reach its HTTPS destination. All HTTP-based Certificate Authority, Domain Name System, Border Gateway Protocol, and Man-in-the-Middle vulnerabilities exist once the traffic traverses Tor exit relays onto the normal Internet. Debian servers retain anonymity but security risk is increased.

4. Debian server > tor+http://update-server.org

In scenario 4, operating system and application updates are obtained via Tor but must leave the Tor network to reach its HTTP destination. All HTTP-based Domain Name System, Border Gateway Protocol, and Man-in-the-Middle vulnerabilities exist once the traffic traverses Tor exit relays onto the normal Internet. Debian server retain anonymity but security risk is increased.

5. Debian server > https://update-server.org

In scenario 5, operating system and application updates are obtained via normal Internet with minimal transport security. Server location information, update server information, and server update schedule information easily obtainable, and sophisticated attackers can obtain server version information and package version information. All HTTP-based Certificate Authority, Domain Name System, Border Gateway Protocol, and Man-in-the-Middle vulnerabilities exist.

6. Debian server > http://update-server.org

In scenario 6, the current Debian default, operating system and application updates are obtained via normal Internet with zero transport security. Server location information, update server information, server update schedule information, server version information, and package version information are trivially obtainable. All HTTP-based Domain Name System, Border Gateway Protocol, and Man-in-the-Middle vulnerabilities exist.

Advertisements