Debian (and ubuntu) having throubles in downloading apt-get updates if I use https

As stated in the previous question: How can i force apt-get or apt to use only https connections

deb https://deb.debian.org/debian bookworm main
deb https://security.debian.org/debian-security bookworm/updates main
deb https://deb.debian.org/debian bookworm-updates main

security.debian.org doesn’t work if I use https protocol.

With ubuntu I have similar problems in updating apt-get cache with https protocol.

Now, isn’t considered a major security issue using plain http in order to download updates for your operative system ?

I’m scratching my head in order to understand why in 2023 plain http is still considered to be used aside some testing environments. Can’t heavy main in the middle and mangling of packets be carried in place so that crafted packets can be dispatched and be installed on user machines?

Asked By: user3450548

||

Debian and its derivatives don’t rely on TLS to secure package delivery, they rely on OpenPGP key signatures, using keys already on the system (set up during installation or added by the system administrator). This covers metadata and package contents; see How is the authenticity of Debian packages guaranteed? for details.

The other commonly-requested feature provided by TLS is confidentiality, i.e. that anyone able to spy on your traffic can’t determine what you’re doing. I don’t have the links handy but it turns out that TLS isn’t sufficient to hide package download activity meaningfully — transfer sizes are sufficient to determine which packages are being downloaded in most cases.

So TLS adds integrity, which Debian already provides, and could add confidentiality, but doesn’t in practice. It also adds some overhead and makes it more complicated to cache data (which is extremely useful for distribution package repositories); so Debian doesn’t configure it by default.

There is one feature of TLS which isn’t supported in all cases in Debian repositories: resistance to replay attacks. In a man-in-the-middle scenario, without TLS, a client can be served older versions of repository metadata and associated packages, which could be used to keep a system vulnerable. Debian repositories with frequent updates (notably, the “updates” and security suites) produce metadata which is only valid for a week, preventing replays beyond that; but stable point releases are valid until their signing key expires, so a target system could be artificially kept on an older point-release. (However in its default configuration it would still see security updates in this type of scenario.)

Of course, defense in depth is better, and there have been vulnerabilities in the past which would have been mitigated by TLS; so TLS can be enabled with most repositories.

As far as best practices go:

  • for Debian (or Ubuntu) repositories, the default setup is good enough as long as you pay attention to apt errors (but don’t let me stop you enabling TLS if you want to);
  • for third-party repositories, you should use TLS if possible (this is easier as a blanket rule than checking whether each repository is configured correctly).
Answered By: Stephen Kitt
Categories: Answers Tags: , , , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.