Ubuntu – Why doesn’t archive.ubuntu.com use HTTPS?


I always see instructions for adding the Universe and Multiverse repositories that look something like the following:

sudo add-apt-repository -y "deb http://archive.ubuntu.com/ubuntu $(lsb_release -sc) main universe restricted multiverse"

Recently I tried editing this to use HTTPS instead and was dismayed to find that archive.ubuntu.com doesn't appear to respond to HTTPS. Now I wonder how feasible it would be, or what damage could be done, if an attacker were to successfully perform a man-in-the-middle attack here?

Am I being too paranoid, considering the role these repositories perform on a system?

Best Answer

All the files downloaded by APT have a signature that allows the downloaded file to be verified against the public keys stored on your computer as being signed by Ubuntu and only Ubuntu. This verifies that the file you receive was authorised by Ubuntu at some stage and hasn't been modified or tampered with since.

A technical explanation of how this works is available from Ubuntu (and from Debian which uses the same system).

Because of the use of HTTP instead of HTTPS, yes eavesdroppers could see what files you are downloading, but privacy is not likely to be your concern in this case. A man-in-the-middle attempt to modify the packages to inject harmful code would still fail because it would break the signing mechanism.

One possible gotcha in this signing mechanism is that it doesn't guarantee that you are getting the most up-to-date version of the package (indeed, sometimes mirrors are slow to update). To help mitigate this problem, the signed release file includes a "Valid-Until" date after which all the files it references should be considered stale. It would be plausible for a man-in-the-middle to substitute an archive with an unmodified earlier version of the archive within this Valid-Until date and cause your APT to believe there are no updates. But they can't make any arbitrary modifications to packages nor could they go back in time past a certain point.

The signing mechanisms provide much better security than HTTPS in this kind of distributed environment where the files are mirrored over many servers not controlled by Ubuntu. In essence you only need to trust Ubuntu, not the mirror, so you need to prove that the files originally came from Ubuntu and have not been modified since - there's no need to verify the identity of the mirror.

Note that when you add a non-official repository to your sources list, such as a PPA, you will be receiving files that are not signed by Ubuntu. APT should warn you about this, because they haven't been signed by a certificate matching any of the public keys installed on your computer as authorised by Ubuntu.

Source: Are repository lists secure? Is there an HTTPS version?

Related Question