Lubuntu 20.04 LTS: is http apt transport safe nowadays?

NickDoom

1/19/23, 10:59 PM

Why Ubuntu accesses repositories via http, not https? Is it safe? Infested Wi-Fi router can easily replace an original .deb with a malware unless those .debs are encrypted and/or signed. Modern devices are powerful enough to perform DPI and provide fake .deb files/packets „on the fly“. Should I choose one of the few https mirrors in „Software Sources“?

0 + 0

security

apt

Score:3

Ubuntu

user535733

1/19/23, 11:40 PM

Plain http is safe for apt to download debs from the Ubuntu repositories.

Debs ARE signed. They have been signed since Ubuntu started. They have been signed by Debian for years before that.

The apt+repository system is designed so that https is not required to ensure safe receipt of original debs from repositories. When the signature does not match the package for any reason, apt throws an error and won't install the package.

Man-In-The-Middle (MiTM) attacks were considered when the Debian distribution method was created, and that attack vector has been long mitigated using (increasingly long) signatures.

There is certainly nothing wrong with using https, if available. You are welcome to use https sources if you wish.

Most mirrors are contributed by volunteer organizations, not controlled by Ubuntu or by Canonical. Many serve content as 'archive.ubuntu.com'. That makes SSL/TLS certificate management --and the associated requirement for private key sharing-- a big ugly problem that no volunteer has stepped forward to solve in two decades of Debian-based distros. You are welcome to help solve it.

Naturally, if you can show a successful proof-of-concept MiTM attack against normal apt usage, the Ubuntu Security Team would love to know about your exploit so they can mitigate that.

0 + 0

Thomas Ward

1/20/23, 2:49 AM

"You are welcome to solve it" - yeah that can't be done without Debian and/or Ubuntu issuing the certs and then sharing it with all mirrors - official or unofficial - that serve for the 'archive.ubuntu.com' name - and then you get into a private key sharing problem that is a much larger security concern, and then it becomes a can of worms. Until HTTPS and TLS authentication change their fundamental operational methods for how certificates work (which is unlikely to happen in our lifetimes) there's almost no chance that problem can be 'solved'.

user535733

1/20/23, 2:53 AM

@ThomasWard completely agree, and edited the mirror bullet. A big ugly problem. But who knows? Perhaps the OP is The Chosen One who can make it work.

N0rbert

1/20/23, 7:00 AM

HTTP is useful for Squid-deb-proxy operation. Period.

NickDoom

1/20/23, 10:10 AM

So, MiTM can provide a fake .deb file, but it'll be rejected by the system. HTTPS can provide additional encryption, and does not interfere with signatures. That's what I'd hoped to hear.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Lubuntu 20.04 LTS: is http apt transport safe nowadays?

TH: Lubuntu 20.04 LTS: http apt ขนส่งปลอดภัยในปัจจุบันหรือไม่

RO: Lubuntu 20.04 LTS: transportul http apt este sigur în zilele noastre?

RU: Lubuntu 20.04 LTS: безопасен ли транспорт http apt в настоящее время?

VI: Lubfox 20.04 LTS: vận chuyển http apt ngày nay có an toàn không?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.