Am I being overly paranoid regarding the infection of system updates via a malicious Tor exit node? This happened to Windows binaries.
How difficult would it be to encrypt the transmission of system updates? Are there Debian or third party servers that allow this?
Debian updates:
Malicious Tor exit relays or their ISP’s are unable to do anything unless they got a vulnerability in apt-get or gnupg. This is because all the repository is signed and apt-get notices signature verification errors. It passes the TUF threat model.
More info:
https://wiki.debian.org/SecureApt
https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md http://www.webcitation.org/6F7Io2ncN
Encryption:
“Easy.” (Difficulty: **** of ********** as per scale: https://www.whonix.org/wiki/FAQ#How_difficult_is_it_to_develop_Whonix.3F)
Might be useful for security in depth. I am not aware of any free public apt update servers. There is https://packages.debian.org/wheezy/apt-transport-https and in jessie also https://packages.debian.org/jessie/apt-transport-tor. What’s missing is someone doing the administration effort and sponsoring update server(s).