https://guardianproject.info/categories/anonymity/ Recent content in Anonymity on Guardian Project Hugo en Sun, 12 Apr 2026 04:04:30 +0000 https://guardianproject.info/2016/07/31/howto-get-all-your-debian-packages-via-tor-onion-services/ Sun, 31 Jul 2016 17:28:57 -0400 https://guardianproject.info/2016/07/31/howto-get-all-your-debian-packages-via-tor-onion-services/ <p><a href="https://guardianproject.info/wp-content/uploads/2014/10/leakage.png"><img src="https://guardianproject.info/wp-content/uploads/2014/10/leakage-300x199.png" alt="leakage" width="300" height="199" class="alignright size-medium wp-image-12699" srcset="https://guardianproject.info/wp-content/uploads/2014/10/leakage-300x199.png 300w, https://guardianproject.info/wp-content/uploads/2014/10/leakage-100x66.png 100w, https://guardianproject.info/wp-content/uploads/2014/10/leakage-150x99.png 150w, https://guardianproject.info/wp-content/uploads/2014/10/leakage-200x132.png 200w, https://guardianproject.info/wp-content/uploads/2014/10/leakage.png 410w" sizes="(max-width: 300px) 100vw, 300px" /></a>Following up on <a href="https://guardianproject.info/2014/10/16/reducing-metadata-leakage-from-software-updates/" target="_blank">some privacy leaks that we looked into a while back</a>, there are now official Debian <a href="https://onion.debian.org" target="_blank">Tor Onion Services</a> for getting software packages and security updates, thanks to the Debian Sys Admin team. This is important for high risk use cases like TAILS covers, but also it is useful to make it more difficult to do some kinds of targeted attacks against high-security servers. The default Debian and Ubuntu package servers use plain HTTP with unencrypted connections. That means anyone with access to the network streams could both monitor and fingerprint traffic. When an request for a security update is spotted, an attacker knows that machine is vulnerable to an exploit, and could reliably exploit it before the security update is applied.</p>