Ubuntu – Are repository lists secure? Is there an HTTPS version


Are repository updates secure?

As a bear of little brain from the developer side, I cannot understand why the repository list is http://security.ubuntu.com and the other http(unsecured) sites listed in /etc/apt/sources.list. Without a certificate chain match this appears as "ask any responder for a list of packages to update" instead of "ask the ubuntu.com site…"

Can any network choose to spoof the update sites, and is this a common practice to provide a locally cached and vetted copy?

Best Answer

In short, yes they're secure, because of public key cryptography used to sign the files.

All the files downloaded by APT have a signature that allows the downloaded file to be verified against the public keys stored on your computer as being signed by Ubuntu and only Ubuntu. This verifies that the file you receive was authorised by Ubuntu at some stage and hasn't been modified or tampered with since.

A technical explanation of how this works is available from Ubuntu (and from Debian which uses the same system).

Because of the use of HTTP instead of HTTPS, yes eavesdroppers could see what files you are downloading, but privacy is not likely to be your concern in this case. A man-in-the-middle attempt to modify the packages to inject harmful code would still fail because it would break the signing mechanism.

One possible gotcha in this signing mechanism is that it doesn't guarantee that you are getting the most up-to-date version of the package (indeed, sometimes mirrors are slow to update). To help mitigate this problem, the signed release file includes a "Valid-Until" date after which all the files it references should be considered stale. It would be plausible for a man-in-the-middle to substitute an archive with an unmodified earlier version of the archive within this Valid-Until date and cause your APT to believe there are no updates. But they can't make any arbitrary modifications to packages nor could they go back in time past a certain point.

The signing mechanisms provide much better security than HTTPS in this kind of distributed environment where the files are mirrored over many servers not controlled by Ubuntu. In essence you only need to trust Ubuntu, not the mirror, so you need to prove that the files originally came from Ubuntu and have not been modified since - there's no need to verify the identity of the mirror.

Note that when you add a non-official repository to your sources list, such as a PPA, you will be receiving files that are not signed by Ubuntu. APT should warn you about this, because they haven't been signed by a certificate matching any of the public keys installed on your computer as authorised by Ubuntu.

Related Question