Fixing this might depend on bug 1185159 and/or bug 1209292. ** Description changed:
Relying on signatures is silly. It gives attackers much more control over a situation, and we already know that this *doesn't work* when weak signatures like MD5 are used (see Flame hash collision). Is the average user going to get attacked this way, with a collision? Maybe not. But Ubuntu servers are going to get targeted, and updating over HTTP just doesn't make sense. Flame may have been a government attack aimed at other governments, but users were infected. They were attacked to get to the government systems. So whether you're a server or a high value target or whatever, there are people who will try to exploit this system. Preventing this is as simple as properly implementing HTTPS and encouraging third party developers to do the same with their packages.. https://www.cs.arizona.edu/stork/packagemanagersecurity/ https://en.wikipedia.org/wiki/Flame_(malware)#Operation HTTPS with HSTS in particular will prevent: 1) An attacker from viewing traffic that can give them information as to the attack surface on a system. They can see which applications are at which versions, and how often the system is updating. 2) It means that if the signing key is compromised the attacker can install their own updates via MITM. HTTPS prevents this. Is there any solid reason why updates are still over an insecure connection? Microsoft has updated over a secure connection for a year now. + + The equivalent for the initial Ubuntu download is bug 1359836. + + This bug was featured on HTTP Shaming. + <http://httpshaming.tumblr.com/post/95198336486/ubuntu-appears-to- + retrieve-packages-and-details-on> ** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1186793 Title: Updating is over insecure connection To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1186793/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
