Join Log in
Score:28
SydMK avatar Server

Why are CentOS mirrors HTTP and not HTTPS?

us flag
SydMK

As far as I know, HTTP is prone to man-in-the-middle attacks. As such, the repositories in Alpine Linux or the CentOS Mirrors are not HTTPS.

In the olden days, having HTTPS used to be an expensive matter. It cost server CPU time and the certificates weren't free. But it’s 2022 now, and we have plenty of ways to overcome those problems and security has been top priority than ever!

How can we obtain binaries smarter?

Also is this a problem in the wider Linux community? I.e., Ubuntu, Linux Mint, openSUSE, etc.?

4675
0 + 0
dave_thompson_085 avatar
jp flag
dave_thompson_085
See https://security.stackexchange.com/questions/18853/why-arent-application-downloads-routinely-done-over-https
2
Reply
ad flag
Randall
Many CentOS mirrors are *both* HTTP and HTTPS (and all CentOS 9 Stream mirrors are both), so just pick an HTTPS one to use.
2
Reply
MonkeyZeus avatar
in flag
MonkeyZeus
If the mirrors required credentials over HTTP and you comply and/or you are not verifying the checksum after downloading then you might not be the target audience for CentOS.
0
Reply
cn flag
AndreKR
@Randall Since OP mentions Ubuntu as well, a lot of Ubuntu mirrors are unfortunately HTTP-only. I can't use them because my ISP runs (well-intended?) virus scans on all HTTP traffic and often blocks certain packages as false-positive.
0
Reply
Score:35
avatar Server
in flag
Virsacer

The packages are indeed signed, hence a manipulation would be noticed.

Also the packages are not secret, so there isn't any need to encrypt them on the transfer.

With the mass of downloads from mirrors, this probably saves them a lot of resources.

It is the same on Debian and Ubuntu.

0 + 0
tr flag
Andrew Savinykh
It is doubtful that "this probably saves them a lot of resources" https://istlsfastyet.com/
13
Reply
dave_thompson_085 avatar
jp flag
dave_thompson_085
Plus for users in (and using the network of) a business, school or other organization that inspects network traffic, such inspection is transparent for HTTP, but HTTPS must be decrypted then re-encrypted with a different certificate which client software probably doesn't recognize, making system maintenance fail, which is typically bad.
1
Reply
et flag
Moo
Traffic analysis is a nice tool to discover what a server is installing, and thus what potentially vulnerable packages its pulling - so I disagree with your assertion that “the packages are not secret so no need to encrypt them”.
11
Reply
SydMK avatar
us flag
SydMK
Thanks @Virsacer and all the editors of question and answers. One more clarification on the answer: Is it possible to manually check the package integrity? In my view the package and the Hashes can be changed through a man in the middle attack. Also, does the OS automatically check the signatures during installation?
0
Reply
au flag
Jon Bentley
@SydMK If a transmission is signed, and the attacker doesn't have a copy of the sender's private key, and you have a (untampered) copy of the sender's public key, then it is not possible for the attacker to sign a transmission they have changed through MiTM. Therefore you'd be able to detect such a change by using the sender's public key to see whether or not it was they who signed it.
0
Reply
my flag
Aron
@AndrewSavinykh AES CPU time is not the only thing that increases resources. https being inherently anti MITM makes it impossible for http acceleration proxies to reduce the server load. HTTP accelerators like Squid.
5
Reply
mx flag
Austin Hemmelgarn
@Moo is correct, the primary threat of information disclosure that HTTPS would protect against here is not that package xyz has some specific contents, it’s that a system at IP address 192.0.2.1 has downloaded package xyz (and therefore probably installed package xyz), which is _exceedingly_ useful information for someone attacking that system.
0
Reply
cn flag
Einacio
@moo I have read before that traffic analysis still allows you to know what is downloaded with https since you can observe the size of the download, and it's not secret. Maybe you can't differentiate packages by weight in every case, but you can make assumptions (if you installed 3 php modules, the next one is more likely another module than a Paint program if I doubt between those 2)
1
Reply
et flag
Moo
@Einacio traffic analysis of encrypted streams can and does still elicit usable info (see the analysis of encoded transmissions to and from spies during the cold war), but its still substantially harder to identify individual packages downloaded - with http, the info for an attacker is right there and they can move directly on to "oh, that web server is using package X which is vulnerable to exploit Y" with no further effort in analysis. Security isnt about complete protection, its always about layers to make it more difficult for attackers.
0
Reply
trognanders avatar
ni flag
trognanders
Many Ubuntu mirrors reply on HTTPS now, for anyone that cares to type it in.
0
Reply
Mark avatar
tz flag
Mark
@AustinHemmelgarn, HTTPS doesn't hide the size of the transfer, and transfer size alone will tell you what packages were downloaded for all but the smallest files.
0
Reply
cn flag
AndreKR
@trognanders That is not my experience. I had to specifically search Google for one that allows HTTPs because my ISP runs (well-intended?) virus scans on HTTP traffic and blocked some packages as false-positive.
0
Reply
trognanders avatar
ni flag
trognanders
@AndreKR The mirrors list for CentOS specifies which ones do HTTPS, so that should be pretty easy without Google. Also, off topic, but this is the mirror I always use when possible. It is hosted by a local university. https://mirror.arizona.edu/
0
Reply
Score:20
avatar Server
cn flag
Bob

From a technical perspective the fact plain HTTP content can easily be cached by proxy servers can make quite a bit of difference when you need to manage and update more than a handful of systems.

Setting up local mirrors is often overkill and not practical, but when your proxy server can serve updates from a cache at LAN speeds, rather than every client in your network connecting to an online source...

0 + 0
SydMK avatar
us flag
SydMK
HTTP Caching is interesting. That definitely helps with edge-servers and fast downloads to the client machines. However don't you think at-least the keys should be securely transmitted? Otherwise manipulation in both ends (hard, but possible in my view) would cause malicious packages to be distributed. Don't you think?
0
Reply
mckenzm avatar
in flag
mckenzm
I'd rather have a local mirror at 10Mb/s than a remote mirror at 9600bps.
0
Reply
sn flag
Peter Mortensen
Is something missing at the end? E.g., the implied *not overkill* is not that clear.
0
Reply
Score:14
avatar Server
cn flag
rems4e

The packages are signed by an off-channel method (GPG keys stored on your system).

The main use of having HTTP is to make it easy to have a dependency proxy between the Internet and your machines, which can save a lot of bandwidth and time by only having to download once (the first time) upgrades for potentially 1000s of (virtual) machines.

HTTPS prevents it (not completely, but makes it harder), because being end-to-end encrypted, you can't easily put something that'd intercept the downloaded packages to store them and serve them later.

0 + 0
Score:2
avatar Server
in flag
NiKiZe

A system time error could cause issues with HTTPS. It is not a real issue, but it is sometimes unnecessary.

An out of date system that don't have trusted certificates is a pain to get them updated.

Mirrors that need to respond to the same anycasted hostname.

It takes time to set up distributed mirrors with valid certificates.

0 + 0
Score:2
trognanders avatar Server
ni flag
trognanders

Lots of mirrors will reply on HTTPS if you change the URL, even if the link to them is only HTTP. Using this is better than not verifying anything at all, but puts absolute trust in the mirror host. Using the official GPG signatures to verify the downloads leaves the trust with only parties you already trust completely.

If you follow the instructions here, you only need to trust the certificate for canonical.com, for example. https://ubuntu.com/tutorials/how-to-verify-ubuntu

0 + 0
Score:1
avatar Server
cn flag
marbu

CentOS distribution uses GPG to sign both rpm packages and yum/dnf repository metadata, so that MITM attack will be prevented.

See also How Fedora Secures Package Delivery, which is discussing Fedora, but package and repository metadata security tooling and policy is the same.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.