Paul Gevers <elb...@debian.org> writes: > I was told and I relayed early in this thread [1] that https gives you > some (delayed) protection against man-in-the-middle attacks serving you > old data.
Yes, it gives you some protection. Jeremy is more cynical about the utility of that protection than I am, although it's certainly arguable how much it's likely to matter in practice. The way I would put it is that the security benefit of using TLS for apt updates is primarily that it makes certain classes of attempts to mess with the update channel more noisy and more likely to produce immediate errors. The most naive attempt to mess with the update channel (intercepting the http connection and replacing a package with a malicious one) will fail immediately with both http or https. The primary difference in that case with https is that the the network connection will fail (assuming no compromise of the TLS certificate authority chain, which is possible of course and which degrades to the http case), whereas with http you will download the malicious package first and then apt will refuse to install it when the hash doesn't match. That difference mostly doesn't matter. -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>
