Bug#758316: APT: Use HTTPS by default

To: Paul Menzel <pm.debian@googlemail.com>
Cc: 758316@bugs.debian.org
Subject: Bug#758316: APT: Use HTTPS by default
From: Freddy Martinez <freddymartinez9@gmail.com>
Date: Mon, 29 Dec 2014 13:23:35 -0600
Message-id: <[🔎] CANNZinew8AzNuJnKVt89pV_s=vt_Zg0FCtST_A0dAj5CAECbLA@mail.gmail.com>
Reply-to: Freddy Martinez <freddymartinez9@gmail.com>, 758316@bugs.debian.org
In-reply-to: <[🔎] 1419319713.5046.26.camel@googlemail.com>
References: <53EFAD4E.4020609@gmail.com> <[🔎] 1419319713.5046.26.camel@googlemail.com>

Hi Paul,

Thanks you are correct about the http / https in the sources.list.
But my concern is about security. Downloading binaries over
unauthenticated connections via HTTP is not good, especially when
you're downloading security updates.  As a project, Debian should
prioritize mirrors that use HTTPS. I know that is a hard thing to do
given that most mirrors are run by volunteers at various locations
(universities, labs etc) but it should be discussed and implemented.

Thanks again,
Freddy


On Tue, Dec 23, 2014 at 1:28 AM, Paul Menzel <pm.debian@googlemail.com> wrote:
> Dear Freddy,
>
>
> Am Samstag, den 16.08.2014, 14:13 -0500 schrieb Freddy:
>> Package: apt
>> Version: 0.9.7.9+deb7u2
>>
>> Currently, apt requires install of an additional package
>> apt-transport-https in order to use HTTPS
>>
>> Without it, I get errors like this if I use HTTPS it.
>>
>> E: The method driver /usr/lib/apt/methods/https could not be found.
>> E: The method driver /usr/lib/apt/methods/https could not be found.
>> E: The method driver /usr/lib/apt/methods/https could not be found.
>>
>> This is an important security bug for two reasons. Its irresponsible to
>> expose what packages a user has on their computers before they update.
>> An attacker could simply interrupt the package download and exploit a
>> *known* security hole before a user can upgrade their package.
>
> thank you for submitting the bug report! I experienced the same problem,
> only to figure out later that one of the Debian package repositories I
> had configured in `/etc/apt/sources.list*` was incorrectly configured,
> that means it wanted to do HTTPS although the line only had `http://`
> appended to it.
>
> Could you still reproduce the problem? If yes, could you please try to
> deactivate some of the mirrors and see if that helps?
>
> If it does, it’d be awesome if you closed this bug report.
>
>> However, its also important to deploy SSL *everywhere* and by default.
>
> Agreed! Hopefully more mirrors will provide that support in the future.
>
>
> Thanks,
>
> Paul

Reply to:

Follow-Ups:
- Bug#758316: APT: Use HTTPS by default
  - From: Julian Andres Klode <jak@jak-linux.org>

References:
- Bug#758316: APT: Use HTTPS by default
  - From: Paul Menzel <pm.debian@googlemail.com>

Prev by Date: Re: Bug#773256: pre-approval: unblock: dpkg/1.17.23
Next by Date: Bug#758316: APT: Use HTTPS by default
Previous by thread: Bug#758316: APT: Use HTTPS by default
Next by thread: Bug#758316: APT: Use HTTPS by default
Index(es):
- Date
- Thread