Public bug reported:
While the apt-transport-https package is installed by default in Ubuntu,
it does not seem to be possible to retrieve core Ubuntu packages or
security updates via TLS. The main repositories such as these:
http://security.ubuntu.com/ubuntu
http://us.archive.ubuntu.com/ubuntu
Have no certificates and are not listening for connections on port 443.
This also extends to downloading of the installation/ISO images.
While cryptographic signatures are employed for integrity and
verification in both cases, and secure transport is of only limited
benefit, there are several compelling reasons to support HTTPS in a
consistent manner. HTTPS everywhere is now a best practice on the web,
and through the US government and among major service providers. With
the myriad ways in which plain HTTP connections can be intercepted and
subverted, and the consumer demand for user privacy and security, we
should be insisting on supporting strong encryption wherever possible.
In this context, HTTPS is primarily beneficial for the following
reasons:
* network attackers can't see what packages you're downloading and the specific
software versions, thus profiling the server and assisting the targeting of
vulnerabilities and zero-day attacks against it
* a sophisticated attacker with possession of a compromised package signing key
can't leverage a "QUANTUM insert"-esque technique to redirect to a malicious
.deb
* an attacker able to passively sniff the network traffic would not be able to
use fingerprint techniques to find/identify servers installing an exact set of
packages specific to an environment the adversary is searching for
* it makes impersonating an apt repo (for example with the goal of blocking
people from receiving security updates) more difficult
In conclusion, I recommend that Ubuntu deploy SSL certificates on these
repositories, and encourage mirrors to follow suit. This would allow
communities of users and developers, including those which require
strong security assurances, to take advantage of TLS for installing
software provided by Ubuntu when their use case demands it. We
understand that this might require some extra effort, but think it's
worth it based on the reasons cited above.
Have there been any discussions in the community about doing this, and
what would be an appropriate venue for us to pursue this matter?
** Affects: ubuntu
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1464064
Title:
Ubuntu apt repos are not available via HTTPS
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/1464064/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
