Lubuntu 20.04 LTS: is http apt transport safe nowadays?

security apt

Plain http is safe for apt to download debs from the Ubuntu repositories.

  • Debs ARE signed. They have been signed since Ubuntu started. They have been signed by Debian for years before that.

The apt+repository system is designed so that https is not required to ensure safe receipt of original debs from repositories. When the signature does not match the package for any reason, apt throws an error and won't install the package.

  • Man-In-The-Middle (MiTM) attacks were considered when the Debian distribution method was created, and that attack vector has been long mitigated using (increasingly long) signatures.

There is certainly nothing wrong with using https, if available. You are welcome to use https sources if you wish.

  • Most mirrors are contributed by volunteer organizations, not controlled by Ubuntu or by Canonical. Many serve content as 'archive.ubuntu.com'. That makes SSL/TLS certificate management --and the associated requirement for private key sharing-- a big ugly problem that no volunteer has stepped forward to solve in two decades of Debian-based distros. You are welcome to help solve it.

Naturally, if you can show a successful proof-of-concept MiTM attack against normal apt usage, the Ubuntu Security Team would love to know about your exploit so they can mitigate that.

Related

Passing session data between ASP.NET Applications
Use array_diff_assoc() or get difference of multidimensional arrays
Can C++ have code in the global scope?
Reversible shuffle algorithm using a key
How do I make a log of all ECHO commands in a BATCH file?
SONAR - Measure Code Coverage using Cobertura
What categorical limits and colimits does $\pi_1$ preserve?
Should I have a repeated digit in a $4$-digit pin code?
Examples of the benefits of Homotopy Type Theory for computer aided proofs?
Why do we divide or multiply by 2 when converting binary?
Why is it that the product of first N prime numbers + 1 another prime? [duplicate]
Why is there only one term on the RHS of this chain rule with partial derivatives?