Bug#1001335: apt should use TLSv1.3 Record Padding to obscure file size metadata

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1001335: apt should use TLSv1.3 Record Padding to obscure file size metadata
From: Hans-Christoph Steiner <hans@eds.org>
Date: Wed, 8 Dec 2021 21:44:19 +0100
Message-id: <[🔎] 90cf70ff-5330-9892-fa1d-c8ec83582206@eds.org>
Reply-to: Hans-Christoph Steiner <hans@eds.org>, 1001335@bugs.debian.org


Package: apt
Version: 2.3.13
Severity: wishlist

apt should pad its TLS connections to obscure the size of the downloaded filesfrom network observers. Right now, an attacker could build an index of allpackage sizes, then track the size of HTTPS streams to Debian mirrors, and fromthat, be able to identify most of the packages being downloaded over HTTPS.


TLSv1.3 added the possibility to add padding TLS connections:
https://tools.ietf.org/id/draft-ietf-tls-tls13-21.html#rfc.section.5.4

GnuTLS already supports it:
https://www.gnutls.org/manual/gnutls.html#On-Record-Padding

Reply to:

Follow-Ups:
- Bug#1001335: apt should use TLSv1.3 Record Padding to obscure file size metadata
  - From: Julian Andres Klode <jak@debian.org>
- Bug#1001335:
  - From: Hans-Christoph Steiner <hans@eds.org>

Prev by Date: Bug#1001257: submit@bugs.debian.org
Next by Date: Bug#1001335: apt should use TLSv1.3 Record Padding to obscure file size metadata
Previous by thread: Bug#1001257: submit@bugs.debian.org
Next by thread: Bug#1001335: apt should use TLSv1.3 Record Padding to obscure file size metadata
Index(es):
- Date
- Thread