Public bug reported: While the apt-transport-https package is installed by default in Ubuntu, it does not seem to be possible to retrieve core Ubuntu packages or security updates via TLS. The main repositories such as these:
http://security.ubuntu.com/ubuntu http://us.archive.ubuntu.com/ubuntu Have no certificates and are not listening for connections on port 443. This also extends to downloading of the installation/ISO images. While cryptographic signatures are employed for integrity and verification in both cases, and secure transport is of only limited benefit, there are several compelling reasons to support HTTPS in a consistent manner. HTTPS everywhere is now a best practice on the web, and through the US government and among major service providers. With the myriad ways in which plain HTTP connections can be intercepted and subverted, and the consumer demand for user privacy and security, we should be insisting on supporting strong encryption wherever possible. In this context, HTTPS is primarily beneficial for the following reasons: * network attackers can't see what packages you're downloading and the specific software versions, thus profiling the server and assisting the targeting of vulnerabilities and zero-day attacks against it * a sophisticated attacker with possession of a compromised package signing key can't leverage a "QUANTUM insert"-esque technique to redirect to a malicious .deb * an attacker able to passively sniff the network traffic would not be able to use fingerprint techniques to find/identify servers installing an exact set of packages specific to an environment the adversary is searching for * it makes impersonating an apt repo (for example with the goal of blocking people from receiving security updates) more difficult In conclusion, I recommend that Ubuntu deploy SSL certificates on these repositories, and encourage mirrors to follow suit. This would allow communities of users and developers, including those which require strong security assurances, to take advantage of TLS for installing software provided by Ubuntu when their use case demands it. We understand that this might require some extra effort, but think it's worth it based on the reasons cited above. Have there been any discussions in the community about doing this, and what would be an appropriate venue for us to pursue this matter? ** Affects: ubuntu Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1464064 Title: Ubuntu apt repos are not available via HTTPS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1464064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs