0

I travel to countries I don't trust--a lot. For example, Vietnam, the virus capital of the world. ESPECIALLY in these areas, but also at home in the USA, I want to remove (or reduce) the possibility that someone is intercepting my auto-updates connection and feeding my computer bogus packages.

My solution is to switch to a mirror using HTTPS. But I don't want to pick just any HTTPS server, I want to select the fastest one. "Select Best Server" is available for HTTP (maybe it includes HTTPS, but it never selects HTTPS). Is there any way to run the same tests searching ONLY mirrors available over HTTPS?

Nathan J.B.
  • 2,640

1 Answers1

0

There is no need to use HTTPS, as the packages / data you receive are verified by GPG signatures.

See this post for more details.

Community
  • 1
  • 1
    Ooops. Sorry about that. I fixed the link. :) –  Feb 21 '15 at 03:21
  • Good to know. But how does my client obtain these GPG signatures? Can't a Man In The Middle just serve me a GPG signature that matches the package they're sending me? – Nathan J.B. Feb 21 '15 at 03:29
  • Also, the top answer makes a good point that the MITM could simply provide me an older package with a valid GPG signature -- one they know has an exploit. – Nathan J.B. Feb 21 '15 at 03:29
  • Hmmm...I tried setting my sources in /etc/apt/sources.list to HTTPS and most of them broke. :( –  Feb 21 '15 at 03:39
  • 1
    A comment on that post provided this script to find HTTPS-enabled mirrors: http://pastebin.com/QY2TQ1dq – Nathan J.B. Feb 21 '15 at 03:42
  • Ah! Sorry I didn't help out much. –  Feb 21 '15 at 03:55
  • 1
    Knowing of the GPG signatures makes me a little more comfortable accepting updates now :) – Nathan J.B. Feb 21 '15 at 03:59