ubuntu sources.list urls are not HTTPS -- what risk does this present, if any?
I was looking at the installation instructions for VS Code today and found this step curious:
sudo apt install apt-transport-https
I see that there appears to be https transport available for apt:
$ ls -1 /usr/lib/apt/methods cdrom copy file ftp gpgv http https mirror mirror+copy mirror+file mirror+ftp mirror+http mirror+https rred rsh ssh store
This made me curious about why Microsoft would have one install that package so I did some searching and ran across this article from cloud flare which points out that even fairly recent versions of Debian require additional steps to secure apt.
I was quite surprised to see that all of the urls in my sources.list are NOT https. My machine is running Ubuntu 20.04, upgraded from Ubuntu 18.04:
$ grep http /etc/apt/sources.list # See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to deb http://us.archive.ubuntu.com/ubuntu/ focal main restricted deb http://us.archive.ubuntu.com/ubuntu/ focal-updates main restricted deb http://us.archive.ubuntu.com/ubuntu/ focal universe deb http://us.archive.ubuntu.com/ubuntu/ focal-updates universe deb http://us.archive.ubuntu.com/ubuntu/ focal multiverse deb http://us.archive.ubuntu.com/ubuntu/ focal-updates multiverse deb http://us.archive.ubuntu.com/ubuntu/ focal-backports main restricted universe multiverse # deb http://archive.canonical.com/ubuntu focal partner # deb-src http://archive.canonical.com/ubuntu focal partner deb http://security.ubuntu.com/ubuntu focal-security main restricted deb http://security.ubuntu.com/ubuntu focal-security universe deb http://security.ubuntu.com/ubuntu focal-security multiverse
This seems less than ideal. It occurs to me that https can be more finicky and any failures might impede critical software updates, but this also seems painfully out of date from a security perspective. On the other hand, the information being transferred is open source software, so there isn't really any risk if someone snoops the packets in transit -- it's not sensitive information, is it?
Still, I'm wondering if there is risk in this. Is the HTTP protocol vulnerable to packet injection in transit? Can anyone lay out what risks there might be in using insecure HTTP traffic for apt?
apt (and other package managers) uses digital signatures to verify the authenticity of packages after downloading them. If a MITM modifies a package in transit, you get an error since the check fails. See https://help.ubuntu.com/community/SecureApt
Apt-get package management uses public key cryptography to authenticate downloaded packages.
Using HTTPS instead of HTTP hides some information from third parties, though. See https://manpages.ubuntu.com/manpages/focal/man1/apt-transport-https.1.html
A sufficiently capable attacker can still observe the communication partners and deeper analysis of the encrypted communication might still reveal important details.