0

I wish I could trust the packages I am supposedly downloading from Ubuntu servers are exactly what I think they are. But ...

...
Hit:1 http://archive.ubuntu.com/ubuntu xenial InRelease
Get:5 http://security.ubuntu.com/ubuntu xenial-security InRelease [94,5 kB]
Hit:6 http://archive.ubuntu.com/ubuntu xenial-updates InRelease
Hit:10 http://archive.ubuntu.com/ubuntu xenial-backports InRelease
...

It's all clear text and unauthenticated traffic.

Why isn't Ubuntu using HTTPS by default when accessing software repositories? Which reasons can there be to keep this situation?

EnzoR
  • 1,717
  • Because it does not add any extra security. HTTPS is not a magic bullet. Packages published in the archive have well-known sizes. An observer will be able to infer what you've just download from an apt mirror even if you're using HTTPS just by observing the size of the file you downloaded and matching it against a table of known package sizes. 2. This has been asked before (several times). 3. and here is a list with https mirrors: https://www.reddit.com/r/Ubuntu/comments/3q53kc/list_of_ubuntu_repository_mirrors_available_over/
    • – Rinzwind Jun 21 '16 at 06:59
  • 1
    see http://askubuntu.com/questions/352952/are-repository-lists-secure-is-there-an-https-version – Rinzwind Jun 21 '16 at 07:01
  • 1
    Also see: http://askubuntu.com/questions/747249/why-doesnt-archive-ubuntu-com-use-https?rq=1, http://askubuntu.com/a/146117/158442 – muru Jun 21 '16 at 07:04
  • If you properly setup certificates both in the browser and in the server, I can know for sure whether the file I am downloading is coming from the real intended source or it's being spoofed with a "man in the middle attack". And there is no "well-known sizes" for any packages. There's the certificate signature embedded within the packages themselves, as stated in the links quoted above also by you. – EnzoR Jun 21 '16 at 11:52
  • @Rinzwind: There are in fact multiple exploits of apt (1, 2) that allows arbitrary code execution as root that would have been prevented if https was used instead of http. This proves that the defence in depth principle applies here as much as anywhere else. The claim that https provides no or minimal security benefit is simply false. – Niklas Holm Jan 30 '19 at 08:14
  • @NiklasHolm nope. It does not stop a MITM attack. If you want better security you need HSTS. – Rinzwind Jan 30 '19 at 09:11
  • @Rinzwind nope. HSTS tells the client to always connect using HTTPS. If the https:// is hardcoded in the URI, it does not make a difference (assuming APT doesn't do something idiotic like attempting to connect with HTTP if HTTPS is unavailable) – Niklas Holm Jan 30 '19 at 09:51