ubuntu apt - why are the respositories accessed over HTTP?












1















So I was just updating my Ubuntu 18.04 system as usual, when I noticed that the apt repositories are being accessed via HTTP. A quick internet search confirmed that this is standard (at least with ubuntu), but didn't yield an answer to why. Now I know that apt performs signature / sanity checks of the packages, but still, why isn't HTTPS used?



Edit 2019-01-24: In light of the recent RCE exploit because of the HTTP communication, I want to point out to some current links I found regarding this topic.



https://whydoesaptnotusehttps.com/ -> A single purpose website only for explaning why HTTP is sufficient.



https://justi.cz/security/2019/01/22/apt-rce.html -> How to exploit the HTTP connection to execute arbitrary code on the target host (and also how to protect yourself against such an attack).



https://usn.ubuntu.com/3863-1/ -> Ubuntu security notice



https://lists.debian.org/debian-security-announce/2019/msg00010.html -> Debian security advisory.






linux ubuntu http packages apt







share|improve this question

























  • Ask Ubuntu developers at Canonical.

    – Ipor Sircer
    Sep 10 '18 at 8:06











  • Well...thank you. I tagged this question with 'apt' and 'ubuntu', why wouldn't it be okay to ask here?

    – M.Geiger
    Sep 10 '18 at 8:12











  • I think this would be more appropriate on askubuntu.com

    – phuclv
    Sep 10 '18 at 9:09











  • Yes, you might be correct. However, since not only Ubuntu uses apt, it might be wrong there as well. I just checked the default Debian sources.list which also uses simple HTTP. Edit: However then my tags and question title might be misleading.

    – M.Geiger
    Sep 10 '18 at 9:12


















1















So I was just updating my Ubuntu 18.04 system as usual, when I noticed that the apt repositories are being accessed via HTTP. A quick internet search confirmed that this is standard (at least with ubuntu), but didn't yield an answer to why. Now I know that apt performs signature / sanity checks of the packages, but still, why isn't HTTPS used?



Edit 2019-01-24: In light of the recent RCE exploit because of the HTTP communication, I want to point out to some current links I found regarding this topic.



https://whydoesaptnotusehttps.com/ -> A single purpose website only for explaning why HTTP is sufficient.



https://justi.cz/security/2019/01/22/apt-rce.html -> How to exploit the HTTP connection to execute arbitrary code on the target host (and also how to protect yourself against such an attack).



https://usn.ubuntu.com/3863-1/ -> Ubuntu security notice



https://lists.debian.org/debian-security-announce/2019/msg00010.html -> Debian security advisory.






linux ubuntu http packages apt







share|improve this question

























  • Ask Ubuntu developers at Canonical.

    – Ipor Sircer
    Sep 10 '18 at 8:06











  • Well...thank you. I tagged this question with 'apt' and 'ubuntu', why wouldn't it be okay to ask here?

    – M.Geiger
    Sep 10 '18 at 8:12











  • I think this would be more appropriate on askubuntu.com

    – phuclv
    Sep 10 '18 at 9:09











  • Yes, you might be correct. However, since not only Ubuntu uses apt, it might be wrong there as well. I just checked the default Debian sources.list which also uses simple HTTP. Edit: However then my tags and question title might be misleading.

    – M.Geiger
    Sep 10 '18 at 9:12
















1












1








1








So I was just updating my Ubuntu 18.04 system as usual, when I noticed that the apt repositories are being accessed via HTTP. A quick internet search confirmed that this is standard (at least with ubuntu), but didn't yield an answer to why. Now I know that apt performs signature / sanity checks of the packages, but still, why isn't HTTPS used?



Edit 2019-01-24: In light of the recent RCE exploit because of the HTTP communication, I want to point out to some current links I found regarding this topic.



https://whydoesaptnotusehttps.com/ -> A single purpose website only for explaning why HTTP is sufficient.



https://justi.cz/security/2019/01/22/apt-rce.html -> How to exploit the HTTP connection to execute arbitrary code on the target host (and also how to protect yourself against such an attack).



https://usn.ubuntu.com/3863-1/ -> Ubuntu security notice



https://lists.debian.org/debian-security-announce/2019/msg00010.html -> Debian security advisory.






linux ubuntu http packages apt







share|improve this question
















So I was just updating my Ubuntu 18.04 system as usual, when I noticed that the apt repositories are being accessed via HTTP. A quick internet search confirmed that this is standard (at least with ubuntu), but didn't yield an answer to why. Now I know that apt performs signature / sanity checks of the packages, but still, why isn't HTTPS used?



Edit 2019-01-24: In light of the recent RCE exploit because of the HTTP communication, I want to point out to some current links I found regarding this topic.



https://whydoesaptnotusehttps.com/ -> A single purpose website only for explaning why HTTP is sufficient.



https://justi.cz/security/2019/01/22/apt-rce.html -> How to exploit the HTTP connection to execute arbitrary code on the target host (and also how to protect yourself against such an attack).



https://usn.ubuntu.com/3863-1/ -> Ubuntu security notice



https://lists.debian.org/debian-security-announce/2019/msg00010.html -> Debian security advisory.






linux ubuntu http packages apt




linux ubuntu http packages apt






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jan 24 at 15:48







M.Geiger

















asked Sep 10 '18 at 8:03









M.GeigerM.Geiger

112




112













  • Ask Ubuntu developers at Canonical.

    – Ipor Sircer
    Sep 10 '18 at 8:06











  • Well...thank you. I tagged this question with 'apt' and 'ubuntu', why wouldn't it be okay to ask here?

    – M.Geiger
    Sep 10 '18 at 8:12











  • I think this would be more appropriate on askubuntu.com

    – phuclv
    Sep 10 '18 at 9:09











  • Yes, you might be correct. However, since not only Ubuntu uses apt, it might be wrong there as well. I just checked the default Debian sources.list which also uses simple HTTP. Edit: However then my tags and question title might be misleading.

    – M.Geiger
    Sep 10 '18 at 9:12





















  • Ask Ubuntu developers at Canonical.

    – Ipor Sircer
    Sep 10 '18 at 8:06











  • Well...thank you. I tagged this question with 'apt' and 'ubuntu', why wouldn't it be okay to ask here?

    – M.Geiger
    Sep 10 '18 at 8:12











  • I think this would be more appropriate on askubuntu.com

    – phuclv
    Sep 10 '18 at 9:09











  • Yes, you might be correct. However, since not only Ubuntu uses apt, it might be wrong there as well. I just checked the default Debian sources.list which also uses simple HTTP. Edit: However then my tags and question title might be misleading.

    – M.Geiger
    Sep 10 '18 at 9:12



















Ask Ubuntu developers at Canonical.

– Ipor Sircer
Sep 10 '18 at 8:06





Ask Ubuntu developers at Canonical.

– Ipor Sircer
Sep 10 '18 at 8:06













Well...thank you. I tagged this question with 'apt' and 'ubuntu', why wouldn't it be okay to ask here?

– M.Geiger
Sep 10 '18 at 8:12





Well...thank you. I tagged this question with 'apt' and 'ubuntu', why wouldn't it be okay to ask here?

– M.Geiger
Sep 10 '18 at 8:12













I think this would be more appropriate on askubuntu.com

– phuclv
Sep 10 '18 at 9:09





I think this would be more appropriate on askubuntu.com

– phuclv
Sep 10 '18 at 9:09













Yes, you might be correct. However, since not only Ubuntu uses apt, it might be wrong there as well. I just checked the default Debian sources.list which also uses simple HTTP. Edit: However then my tags and question title might be misleading.

– M.Geiger
Sep 10 '18 at 9:12







Yes, you might be correct. However, since not only Ubuntu uses apt, it might be wrong there as well. I just checked the default Debian sources.list which also uses simple HTTP. Edit: However then my tags and question title might be misleading.

– M.Geiger
Sep 10 '18 at 9:12












2 Answers
2






active

oldest

votes


















5














Most of the time the files are downloaded from a mirror and not from the ubuntu servers, so even if the ubuntu site uses HTTPS, you are going to be downloading files from sites like http://ubuntu.unc.edu.ar/ubuntu/or http://ubuntu.mirror.lrz.de/ubuntu/.



To overcome this problem, the files downloaded by APT have a signature that allows that it can be verified against the public keys stored on your computer as being signed by Ubuntu and only Ubuntu.






share|improve this answer



















  • 1





    Thank you for your answer! I understand that public key signatures protect the integrity and authenticity of data. However wouldn't it be desirable to encrypt the data as well so that an adversary might not know what software and what versions thereof are used? I can imagine a - yes maybe complex - attack where an attacker uses the information which software version is used in an attack.

    – M.Geiger
    Sep 10 '18 at 8:45











  • @M.Geiger That is indeed a concern of some users, including myself. IMO there is no good reason to use plain HTTP for package repositories these days, and at least one very good reason to use HTTPS, as you pointed out.

    – l0b0
    Sep 10 '18 at 9:48













  • @l0b0 Ok, so I'm not the only one. I also found the package apt-transport-https, which looks like it should do the job. I already had this installed. Unfortunately, when I switch every http to https in my Ubuntu sources.list, updating fails with Could not connect to de.archive.ubuntu.com:443 (141.30.62.25). - connect (111: Connection refused).

    – M.Geiger
    Sep 10 '18 at 9:59



















0














In my opinion it is because is a layer not necessary for the purpose!
I mean https is needed to encrypt the data over the network to avoid to send sensitive data in clear text (never authenticate your self in http protocol).
So have no traffic to protect there, mostly of the code is opensource and can be downloaded and redistribuite. What is need to be protected is the binary package by him self, but for this all the package in the repository are digital signed, and if the public key is not installed on your package manager will notify you that the software you begin to install is came from a not trusted place.






share|improve this answer
























  • Thank you for your answer, I appreciate the hint that most of linux software is open source, so this might be a good reason, why it doesn't have to be encrypted for confidentiality.

    – M.Geiger
    Sep 10 '18 at 8:48











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1356786%2fubuntu-apt-why-are-the-respositories-accessed-over-http%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes









5














Most of the time the files are downloaded from a mirror and not from the ubuntu servers, so even if the ubuntu site uses HTTPS, you are going to be downloading files from sites like http://ubuntu.unc.edu.ar/ubuntu/or http://ubuntu.mirror.lrz.de/ubuntu/.



To overcome this problem, the files downloaded by APT have a signature that allows that it can be verified against the public keys stored on your computer as being signed by Ubuntu and only Ubuntu.






share|improve this answer



















  • 1





    Thank you for your answer! I understand that public key signatures protect the integrity and authenticity of data. However wouldn't it be desirable to encrypt the data as well so that an adversary might not know what software and what versions thereof are used? I can imagine a - yes maybe complex - attack where an attacker uses the information which software version is used in an attack.

    – M.Geiger
    Sep 10 '18 at 8:45











  • @M.Geiger That is indeed a concern of some users, including myself. IMO there is no good reason to use plain HTTP for package repositories these days, and at least one very good reason to use HTTPS, as you pointed out.

    – l0b0
    Sep 10 '18 at 9:48













  • @l0b0 Ok, so I'm not the only one. I also found the package apt-transport-https, which looks like it should do the job. I already had this installed. Unfortunately, when I switch every http to https in my Ubuntu sources.list, updating fails with Could not connect to de.archive.ubuntu.com:443 (141.30.62.25). - connect (111: Connection refused).

    – M.Geiger
    Sep 10 '18 at 9:59
















5














Most of the time the files are downloaded from a mirror and not from the ubuntu servers, so even if the ubuntu site uses HTTPS, you are going to be downloading files from sites like http://ubuntu.unc.edu.ar/ubuntu/or http://ubuntu.mirror.lrz.de/ubuntu/.



To overcome this problem, the files downloaded by APT have a signature that allows that it can be verified against the public keys stored on your computer as being signed by Ubuntu and only Ubuntu.






share|improve this answer



















  • 1





    Thank you for your answer! I understand that public key signatures protect the integrity and authenticity of data. However wouldn't it be desirable to encrypt the data as well so that an adversary might not know what software and what versions thereof are used? I can imagine a - yes maybe complex - attack where an attacker uses the information which software version is used in an attack.

    – M.Geiger
    Sep 10 '18 at 8:45











  • @M.Geiger That is indeed a concern of some users, including myself. IMO there is no good reason to use plain HTTP for package repositories these days, and at least one very good reason to use HTTPS, as you pointed out.

    – l0b0
    Sep 10 '18 at 9:48













  • @l0b0 Ok, so I'm not the only one. I also found the package apt-transport-https, which looks like it should do the job. I already had this installed. Unfortunately, when I switch every http to https in my Ubuntu sources.list, updating fails with Could not connect to de.archive.ubuntu.com:443 (141.30.62.25). - connect (111: Connection refused).

    – M.Geiger
    Sep 10 '18 at 9:59














5












5








5







Most of the time the files are downloaded from a mirror and not from the ubuntu servers, so even if the ubuntu site uses HTTPS, you are going to be downloading files from sites like http://ubuntu.unc.edu.ar/ubuntu/or http://ubuntu.mirror.lrz.de/ubuntu/.



To overcome this problem, the files downloaded by APT have a signature that allows that it can be verified against the public keys stored on your computer as being signed by Ubuntu and only Ubuntu.






share|improve this answer













Most of the time the files are downloaded from a mirror and not from the ubuntu servers, so even if the ubuntu site uses HTTPS, you are going to be downloading files from sites like http://ubuntu.unc.edu.ar/ubuntu/or http://ubuntu.mirror.lrz.de/ubuntu/.



To overcome this problem, the files downloaded by APT have a signature that allows that it can be verified against the public keys stored on your computer as being signed by Ubuntu and only Ubuntu.







share|improve this answer












share|improve this answer



share|improve this answer










answered Sep 10 '18 at 8:21









jcbermujcbermu

15.6k24354




15.6k24354








  • 1





    Thank you for your answer! I understand that public key signatures protect the integrity and authenticity of data. However wouldn't it be desirable to encrypt the data as well so that an adversary might not know what software and what versions thereof are used? I can imagine a - yes maybe complex - attack where an attacker uses the information which software version is used in an attack.

    – M.Geiger
    Sep 10 '18 at 8:45











  • @M.Geiger That is indeed a concern of some users, including myself. IMO there is no good reason to use plain HTTP for package repositories these days, and at least one very good reason to use HTTPS, as you pointed out.

    – l0b0
    Sep 10 '18 at 9:48













  • @l0b0 Ok, so I'm not the only one. I also found the package apt-transport-https, which looks like it should do the job. I already had this installed. Unfortunately, when I switch every http to https in my Ubuntu sources.list, updating fails with Could not connect to de.archive.ubuntu.com:443 (141.30.62.25). - connect (111: Connection refused).

    – M.Geiger
    Sep 10 '18 at 9:59














  • 1





    Thank you for your answer! I understand that public key signatures protect the integrity and authenticity of data. However wouldn't it be desirable to encrypt the data as well so that an adversary might not know what software and what versions thereof are used? I can imagine a - yes maybe complex - attack where an attacker uses the information which software version is used in an attack.

    – M.Geiger
    Sep 10 '18 at 8:45











  • @M.Geiger That is indeed a concern of some users, including myself. IMO there is no good reason to use plain HTTP for package repositories these days, and at least one very good reason to use HTTPS, as you pointed out.

    – l0b0
    Sep 10 '18 at 9:48













  • @l0b0 Ok, so I'm not the only one. I also found the package apt-transport-https, which looks like it should do the job. I already had this installed. Unfortunately, when I switch every http to https in my Ubuntu sources.list, updating fails with Could not connect to de.archive.ubuntu.com:443 (141.30.62.25). - connect (111: Connection refused).

    – M.Geiger
    Sep 10 '18 at 9:59








1




1





Thank you for your answer! I understand that public key signatures protect the integrity and authenticity of data. However wouldn't it be desirable to encrypt the data as well so that an adversary might not know what software and what versions thereof are used? I can imagine a - yes maybe complex - attack where an attacker uses the information which software version is used in an attack.

– M.Geiger
Sep 10 '18 at 8:45





Thank you for your answer! I understand that public key signatures protect the integrity and authenticity of data. However wouldn't it be desirable to encrypt the data as well so that an adversary might not know what software and what versions thereof are used? I can imagine a - yes maybe complex - attack where an attacker uses the information which software version is used in an attack.

– M.Geiger
Sep 10 '18 at 8:45













@M.Geiger That is indeed a concern of some users, including myself. IMO there is no good reason to use plain HTTP for package repositories these days, and at least one very good reason to use HTTPS, as you pointed out.

– l0b0
Sep 10 '18 at 9:48







@M.Geiger That is indeed a concern of some users, including myself. IMO there is no good reason to use plain HTTP for package repositories these days, and at least one very good reason to use HTTPS, as you pointed out.

– l0b0
Sep 10 '18 at 9:48















@l0b0 Ok, so I'm not the only one. I also found the package apt-transport-https, which looks like it should do the job. I already had this installed. Unfortunately, when I switch every http to https in my Ubuntu sources.list, updating fails with Could not connect to de.archive.ubuntu.com:443 (141.30.62.25). - connect (111: Connection refused).

– M.Geiger
Sep 10 '18 at 9:59





@l0b0 Ok, so I'm not the only one. I also found the package apt-transport-https, which looks like it should do the job. I already had this installed. Unfortunately, when I switch every http to https in my Ubuntu sources.list, updating fails with Could not connect to de.archive.ubuntu.com:443 (141.30.62.25). - connect (111: Connection refused).

– M.Geiger
Sep 10 '18 at 9:59













0














In my opinion it is because is a layer not necessary for the purpose!
I mean https is needed to encrypt the data over the network to avoid to send sensitive data in clear text (never authenticate your self in http protocol).
So have no traffic to protect there, mostly of the code is opensource and can be downloaded and redistribuite. What is need to be protected is the binary package by him self, but for this all the package in the repository are digital signed, and if the public key is not installed on your package manager will notify you that the software you begin to install is came from a not trusted place.






share|improve this answer
























  • Thank you for your answer, I appreciate the hint that most of linux software is open source, so this might be a good reason, why it doesn't have to be encrypted for confidentiality.

    – M.Geiger
    Sep 10 '18 at 8:48
















0














In my opinion it is because is a layer not necessary for the purpose!
I mean https is needed to encrypt the data over the network to avoid to send sensitive data in clear text (never authenticate your self in http protocol).
So have no traffic to protect there, mostly of the code is opensource and can be downloaded and redistribuite. What is need to be protected is the binary package by him self, but for this all the package in the repository are digital signed, and if the public key is not installed on your package manager will notify you that the software you begin to install is came from a not trusted place.






share|improve this answer
























  • Thank you for your answer, I appreciate the hint that most of linux software is open source, so this might be a good reason, why it doesn't have to be encrypted for confidentiality.

    – M.Geiger
    Sep 10 '18 at 8:48














0












0








0







In my opinion it is because is a layer not necessary for the purpose!
I mean https is needed to encrypt the data over the network to avoid to send sensitive data in clear text (never authenticate your self in http protocol).
So have no traffic to protect there, mostly of the code is opensource and can be downloaded and redistribuite. What is need to be protected is the binary package by him self, but for this all the package in the repository are digital signed, and if the public key is not installed on your package manager will notify you that the software you begin to install is came from a not trusted place.






share|improve this answer













In my opinion it is because is a layer not necessary for the purpose!
I mean https is needed to encrypt the data over the network to avoid to send sensitive data in clear text (never authenticate your self in http protocol).
So have no traffic to protect there, mostly of the code is opensource and can be downloaded and redistribuite. What is need to be protected is the binary package by him self, but for this all the package in the repository are digital signed, and if the public key is not installed on your package manager will notify you that the software you begin to install is came from a not trusted place.







share|improve this answer












share|improve this answer



share|improve this answer










answered Sep 10 '18 at 8:20









AtomiX84AtomiX84

4779




4779













  • Thank you for your answer, I appreciate the hint that most of linux software is open source, so this might be a good reason, why it doesn't have to be encrypted for confidentiality.

    – M.Geiger
    Sep 10 '18 at 8:48



















  • Thank you for your answer, I appreciate the hint that most of linux software is open source, so this might be a good reason, why it doesn't have to be encrypted for confidentiality.

    – M.Geiger
    Sep 10 '18 at 8:48

















Thank you for your answer, I appreciate the hint that most of linux software is open source, so this might be a good reason, why it doesn't have to be encrypted for confidentiality.

– M.Geiger
Sep 10 '18 at 8:48





Thank you for your answer, I appreciate the hint that most of linux software is open source, so this might be a good reason, why it doesn't have to be encrypted for confidentiality.

– M.Geiger
Sep 10 '18 at 8:48


















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1356786%2fubuntu-apt-why-are-the-respositories-accessed-over-http%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Index of /

This page is only for reference, If you need detailed information, please check here
Read more

Tribalistas

Image
  Nota: Para o álbum homônimo, veja Tribalistas (álbum de 2002). Para o segundo álbum homônimo, veja Tribalistas (álbum de 2017). Para o tipo de organização tribal, veja Tribalismo. Tribalistas Informação geral Origem Salvador e Rio de Janeiro País   Brasil Gênero(s) MPB Pop Samba Período em atividade 2002–2004 2017–atualmente Gravadora(s) EMI Phonomotor Records Universal Music Afiliação(ões) Dadi Pretinho da Serrinha Margareth Menezes Integrantes Arnaldo Antunes Carlinhos Brown Marisa Monte Página oficial www2.uol.com.br/tribalistas/ ...
Read more

Listed building

Image
Listed building (literalmente: prédio listado ) é toda estrutura protegida por lei pelo complexo sistema de tombamento do Reino Unido. Um listed building é qualquer estrutura oficialmente designada como tendo especial interesse arquitetônico, histórico ou cultural. É um estatuto amplamente usado, aplicado a centenas de milhares de estruturas. Estruturas tombadas não podem ser alteradas sem permissão especial, e desfrutam de isenções fiscais e outros benefícios. Cada um dos países do Reino Unido trata tombamento de forma diferente: Índice 1 Inglaterra 2 País de Gales 3 Irlanda do Norte 4 Escócia 5 Referências Inglaterra | O Palácio de Buckingham, Londres. As estruturas tombadas são listadas no Statutory List of Buildings of Special Architectural or Historic Interest , e incluem campos, sinais de trânsito, piers e áreas geográficas. A principal legislação pertinente é o Ancient Monuments and Archaeological Areas Act 1979 , [ 1 ] embora legisla...
Read more