Bug#1001335:

To: 1001335@bugs.debian.org
Subject: Bug#1001335:
From: Hans-Christoph Steiner <hans@eds.org>
Date: Thu, 9 Dec 2021 12:32:12 +0100
Message-id: <[🔎] fd2fd3e9-4bb1-8f26-ec67-7d79358b2e06@eds.org>
Reply-to: Hans-Christoph Steiner <hans@eds.org>, 1001335@bugs.debian.org
References: <[🔎] 90cf70ff-5330-9892-fa1d-c8ec83582206@eds.org>

Great to hear that pipelining is already in use! I guess HTTPS plus pipeliningcould mean that file size is no longer reliably readable for the networkobserver. I've never profiles TLS and pipelining to know if there are stillvisible signatures that would let the network observer find the borders of filedownloads, so I can't personally say for sure that padding would not still beuseful.

I agree that padding to something like 1MB would be required to strip out allsize metadata. A small amount of padding would obscure a lot of metadata sincethere are many packages that are close to the same size. I've also beenthinking about general fingerprintability, not just detecting whether a specificsecurity update is being applied. The general pattern of packages, could beenough to identify a lot of boxes.

I was thinking this was a low hanging fruit. If it is not, and you don't wantto track this, I'm fine with it being closed.


OpenSSL does Record Padding also:
https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html

Reply to:

References:
- Bug#1001335: apt should use TLSv1.3 Record Padding to obscure file size metadata
  - From: Hans-Christoph Steiner <hans@eds.org>

Prev by Date: Bug#1001335: apt should use TLSv1.3 Record Padding to obscure file size metadata
Next by Date: Klimahouse in Bolzano - 2021 Attendees list
Previous by thread: Bug#1001335: apt should use TLSv1.3 Record Padding to obscure file size metadata
Next by thread: Klimahouse in Bolzano - 2021 Attendees list
Index(es):
- Date
- Thread