#1001335 apt should use TLSv1.3 Record Padding to obscure file size metadata

Package:
apt
Source:
apt
Description:
commandline package manager
Submitter:
Hans-Christoph Steiner
Date:
2021-12-09 11:54:02 UTC
Severity:
wishlist
#1001335#5
Date:
2021-12-08 20:44:19 UTC
From:
To:
apt should pad its TLS connections to obscure the size of the downloaded files
from network observers.  Right now, an attacker could build an index of all
package sizes, then track the size of HTTPS streams to Debian mirrors, and from
that, be able to identify most of the packages being downloaded over HTTPS.

TLSv1.3 added the possibility to add padding TLS connections:
https://tools.ietf.org/id/draft-ietf-tls-tls13-21.html#rfc.section.5.4

GnuTLS already supports it:
https://www.gnutls.org/manual/gnutls.html#On-Record-Padding

#1001335#10
Date:
2021-12-08 21:39:42 UTC
From:
To:
TLS record padding does not help with that. First of all, we pipeline
all our requests; secondly, we'd not be padding to the extent that this
would hide things (think pad everything to 1MB); third, security updates
are updated quickly, it's unlikely you'd be unable to identify them. In
fact, what you want to do is identify which security updates have not
been applied, and you can just track last conversation with security.d.o
for that :)

So in summary, I don't think it's relevant for us

You should find out the OpenSSL API for it, GnuTLS will be on its
way out next year.

#1001335#15
Date:
2021-12-09 11:32:12 UTC
From:
To:
Great to hear that pipelining is already in use!  I guess HTTPS plus pipelining
could mean that file size is no longer reliably readable for the network
observer.  I've never profiles TLS and pipelining to know if there are still
visible signatures that would let the network observer find the borders of file
downloads, so I can't personally say for sure that padding would not still be
useful.

I agree that padding to something like 1MB would be required to strip out all
size metadata.  A small amount of padding would obscure a lot of metadata since
there are many packages that are close to the same size.  I've also been
thinking about general fingerprintability, not just detecting whether a specific
security update is being applied.  The general pattern of packages, could be
enough to identify a lot of boxes.

I was thinking this was a low hanging fruit.  If it is not, and you don't want
to track this, I'm fine with it being closed.

OpenSSL does Record Padding also:
https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html