I understand this is coming up for Whonix 14 - see https://phabricator.whonix.org/T399 - but it is worth re-iterating that hardening the current stable Whonix 13 can be achieved by defaulting the mirrors in sources.list to .onions
The benefits include:
- protection against MITM attacks due to the use of end-end encryption;
- protection against downgrade attacks; and
- reducing the load on exit relays in the Tor network.
Is editing the sources.list already documented? I forget.
Hm! Yes, apt uses plain http to fetch its debs (and then checks the signatures afterwards), so it is possible that somebody somewhere on the Internet (the exit relay, an attacker at the repository, or somebody in between) could mess with those.
That is indeed one of the advantages of using the onion address for reaching the repository – you get end-to-end authentication and encryption, which pretty much stops all of those types of possible attacks.
(Another advantage of using the onion address is that it shifts load away from exit relays in the Tor network – which once thousands of people are using this for their package installs might add up to be a big deal.)
Also I think it’s important to note that, like targeted delivery of a malicious package, Tor forces the adversary to deliver malicious data to all users during a downgrade attack. Usually a malicious package will be caught when it’s signature is verified, but during a downgrade attack, the package is (was) a legitimate package so it’s signature is good, except the server delivers an older version of the package (or hides the new one from the victim).
Thus, the signature is good but the package is intentionally outdated; very useful for adversaries wanting to exploit vulnerabilities that were present in old packages but have since been patched. Tor means that everyone would receive the old version, making the attack much more detectable. Some package managers already protect against these kind of replay attacks using signed repository (as opposed to just package) files, but many do not.