ubuntu sources.list urls are not HTTPS -- what risk does this present, if any?

  • I was looking at the installation instructions for VS Code today and found this step curious:

    sudo apt install apt-transport-https

    I see that there appears to be https transport available for apt:

    $ ls -1 /usr/lib/apt/methods

    This made me curious about why Microsoft would have one install that package so I did some searching and ran across this article from cloud flare which points out that even fairly recent versions of Debian require additional steps to secure apt.

    I was quite surprised to see that all of the urls in my sources.list are NOT https. My machine is running Ubuntu 20.04, upgraded from Ubuntu 18.04:

    $ grep http /etc/apt/sources.list
    # See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
    deb http://us.archive.ubuntu.com/ubuntu/ focal main restricted
    deb http://us.archive.ubuntu.com/ubuntu/ focal-updates main restricted
    deb http://us.archive.ubuntu.com/ubuntu/ focal universe
    deb http://us.archive.ubuntu.com/ubuntu/ focal-updates universe
    deb http://us.archive.ubuntu.com/ubuntu/ focal multiverse
    deb http://us.archive.ubuntu.com/ubuntu/ focal-updates multiverse
    deb http://us.archive.ubuntu.com/ubuntu/ focal-backports main restricted universe multiverse
    # deb http://archive.canonical.com/ubuntu focal partner
    # deb-src http://archive.canonical.com/ubuntu focal partner
    deb http://security.ubuntu.com/ubuntu focal-security main restricted
    deb http://security.ubuntu.com/ubuntu focal-security universe
    deb http://security.ubuntu.com/ubuntu focal-security multiverse

    This seems less than ideal. It occurs to me that https can be more finicky and any failures might impede critical software updates, but this also seems painfully out of date from a security perspective. On the other hand, the information being transferred is open source software, so there isn't really any risk if someone snoops the packets in transit -- it's not sensitive information, is it?

    Still, I'm wondering if there is risk in this. Is the HTTP protocol vulnerable to packet injection in transit? Can anyone lay out what risks there might be in using insecure HTTP traffic for apt?

  • apt (and other package managers) uses digital signatures to verify the authenticity of packages after downloading them. If a MITM modifies a package in transit, you get an error since the check fails. See https://help.ubuntu.com/community/SecureApt

    Apt-get package management uses public key cryptography to authenticate downloaded packages.

    Using HTTPS instead of HTTP hides some information from third parties, though. See https://manpages.ubuntu.com/manpages/focal/man1/apt-transport-https.1.html

    A sufficiently capable attacker can still observe the communication partners and deeper analysis of the encrypted communication might still reveal important details.

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2