Debian apt-get updates over https / SSL / TLS by default OR avoiding amazon AWS - pick one

Has been suggested to enable https (SSL, TLS) by default.

Guess what’s happening…

sudo apt-get update
Hit:1 http://deb.qubes-os.org/r4.0/vm stretch InRelease
Hit:2 http://deb.torproject.org/torproject.org stretch InRelease
Hit:3 http://deb.qubes-os.org/r4.0/vm stretch-testing InRelease
Hit:4 http://deb.qubes-os.org/r4.0/vm stretch-securitytesting InRelease
Get:5 https://cdn-aws.deb.debian.org/debian-security stretch/updates InRelease [94.3 kB]


“use onion sources list exclusively for apt-get updating by default” is a separate discussion and should be discussed here https://phabricator.whonix.org/T812.

Which one is it?

  • apt-get updates over https / SSL / TLS by default OR
  • avoiding amazon AWS?

Pick one.

Amazon - The CIA/Spook/Defense Department cloud providers with 1/3rd of all cloud infrastructure - should have zero access to anything related to Whonix users.

.onions everywhere is the real long term solution for all secure updating and upgrading, by default, configured from 1st install.

I am not sure we really should go into security by policy. Choosing good servers over bad servers. That opens a can of worms.

Before we were using 1) security.debian.org and 2) ftp.us.debian.org. Was never questioned at all.

  1. Could be hosted in US and if I had to bet, I’d bet it is hosted in US.
  2. Even more likely so.

Debian apt downloads looks like a volunteer effort. People who can sponsor/contribute these resources. Both 1) and 2) might already be hosted on amazon AWS or similarly awful. Since it is DNS round robin / mirrors most likely, it most likely is hitting such cloud providers already at least sometimes.

onions are not reliable enough yet.

Even if they were…: Do we say “building Whonix requires an already torified connection so you can access onions”? If you don’t have that, out of luck or use binary Whonix download first.

1 Like

The problem with forcing CA SSL for apt updates is it breaks regular http mirrors and potentially limits mirror numbers severely - making it easier to censor the Whonix build/updates process. If it becomes widely adopted and http mirrors a minority then switch to apt-https

Censoring Amazon servers is equally pointless since they do go out of their way to keep their centers secret and use front companies to fool customers.

I suggest letting the chips fall where they may and tell users to restart Tor and re-run the apt process.

The good thing is onion mirrors are reliable enough (though not perfect) to act as alternate fallbacks

Ahem… :wink:


Lost cause.

Even non-SSL http://security.debian.org redirects to security-cdn.debian.org. (And CDN’s are not unlikely being hosted by AWS.)

How do we know where onions are hosted? Could possibly also be hosted in AWS.

The good thing about apt is we don’t really need to trust the endpoint hosting the mirror when packages are signed. The advantage of onions is to stop selective poisoning of packages in event of an apt vuln or being able to track anonymous systems update patterns because machines have unique program sets installed on them.

Whonix APT sources currently using https://deb.debian.org/debian.

https://deb.debian.org says it is being hosted by fastly.

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]