[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#758316: marked as done (APT: Use HTTPS by default)

Your message dated Fri, 14 Aug 2015 14:18:10 +0200
with message-id <20150814121810.GA11362@crossbow>
and subject line Re: Bug#758316: APT: Use HTTPS by default
has caused the Debian Bug report #758316,
regarding APT: Use HTTPS by default
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
758316: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758316
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: apt
Version: 0.9.7.9+deb7u2

Currently, apt requires install of an additional package
apt-transport-https in order to use HTTPS

Without it, I get errors like this if I use HTTPS it.

E: The method driver /usr/lib/apt/methods/https could not be found.
E: The method driver /usr/lib/apt/methods/https could not be found.
E: The method driver /usr/lib/apt/methods/https could not be found.

This is an important security bug for two reasons. Its irresponsible to
expose what packages a user has on their computers before they update.
An attacker could simply interrupt the package download and exploit a
*known* security hole before a user can upgrade their package. However,
its also important to deploy SSL *everywhere* and by default.

Freddy Martinez

--- End Message ---
--- Begin Message --- 
On Mon, Dec 29, 2014 at 08:31:39PM +0100, Julian Andres Klode wrote:
> On Mon, Dec 29, 2014 at 8:23 PM, Freddy Martinez
> <freddymartinez9@gmail.com> wrote:
> > Thanks you are correct about the http / https in the sources.list.
> > But my concern is about security. Downloading binaries over
> > unauthenticated connections via HTTP is not good, especially when
> > you're downloading security updates.  As a project, Debian should
> > prioritize mirrors that use HTTPS. I know that is a hard thing to do
> > given that most mirrors are run by volunteers at various locations
> > (universities, labs etc) but it should be discussed and implemented.
> 
> It does not make sense to use https. All data is authenticated using
> GPG signatures. https only offers some encryption on top of that, so
> nobody will know which package you are fetching, but that's an
> entirely minor issue.

Beside that by careful observation you can predict from the size of data
pushed over the encrypted line what data is shipped over it as the size
of the data is public knowledge.

https can only protect you from someone interferring with what is sent
to you – but we are protected against that for a very long time already
by apt-secure usage. And in this form, https is even weaker than
apt-secure as we sign end to end while https just protects the transport
between hops – aka non-Debian controlled mirrors would be a problem with
https.

All the wonderful other attributes assigned to https aren't really true
as it is e.g. not for privacy: Everyone can see to which server you are
talking to, you need to use something like Tor for that.


Having more https mirrors and/or using them as user would be nice to
have maybe, but there is no explicit need for it and NOT needed for
security reasons. Hence closing as apt can do nothing about it, at best
this is a mirror teams task, but not really actionable for them either…


Best regards

David Kalnischkies

Attachment: signature.asc
Description: Digital signature


--- End Message ---
Reply to: