Why doesn't archive.ubuntu.com use HTTPS? [duplicate]

Are repository updates secure?

As a bear of little brain from the developer side, I cannot understand why the repository list is http://security.ubuntu.com and the other http(unsecured) sites listed in /etc/apt/sources.list. Without a certificate chain match this appears as "ask any responder for a list of packages to update" instead of "ask the ubuntu.com site..."

Can any network choose to spoof the update sites, and is this a common practice to provide a locally cached and vetted copy?


Solution 1:

In short, yes they're secure, because of public key cryptography used to sign the files.

All the files downloaded by APT have a signature that allows the downloaded file to be verified against the public keys stored on your computer as being signed by Ubuntu and only Ubuntu. This verifies that the file you receive was authorised by Ubuntu at some stage and hasn't been modified or tampered with since.

A technical explanation of how this works is available from Ubuntu (and from Debian which uses the same system).

Because of the use of HTTP instead of HTTPS, yes eavesdroppers could see what files you are downloading, but privacy is not likely to be your concern in this case. A man-in-the-middle attempt to modify the packages to inject harmful code would still fail because it would break the signing mechanism.

One possible gotcha in this signing mechanism is that it doesn't guarantee that you are getting the most up-to-date version of the package (indeed, sometimes mirrors are slow to update). To help mitigate this problem, the signed release file includes a "Valid-Until" date after which all the files it references should be considered stale. It would be plausible for a man-in-the-middle to substitute an archive with an unmodified earlier version of the archive within this Valid-Until date and cause your APT to believe there are no updates. But they can't make any arbitrary modifications to packages nor could they go back in time past a certain point.

The signing mechanisms provide much better security than HTTPS in this kind of distributed environment where the files are mirrored over many servers not controlled by Ubuntu. In essence you only need to trust Ubuntu, not the mirror, so you need to prove that the files originally came from Ubuntu and have not been modified since - there's no need to verify the identity of the mirror.

Note that when you add a non-official repository to your sources list, such as a PPA, you will be receiving files that are not signed by Ubuntu. APT should warn you about this, because they haven't been signed by a certificate matching any of the public keys installed on your computer as authorised by Ubuntu.

Solution 2:

The top rated answer here is clearly outdated. Since then, there has been 2 serious remote code execution exploits found in apt because of buggy package verification. Security bulletins here and here.

This is much worse than the concerns about privacy/information leakage and stale package version; this enables arbitrary code execution as root, complete security failure. And the thing is: These attacks would have been prevented if https was used instead of http.

This proves that the defence in depth principle applies here as much as anywhere else. The many claims floating around that https provides no or minimal security benefit in the context of apt is simply incorrect, as has been shown by these exploits.

The question then becomes if the security benefit of https is worth the cost in terms of caching, increased overhead etc. I can't answer that, but at the very least I think Ubuntu/Canonical/Launchpad should provide optional https endpoints for their repositories.