With all the paranoia that came with NSA revelations, I'm wondering why the Debian package installation mechanism does not support HTTPS for its transport, let alone use one by default.
I know Debian packages have some sort of signature validation using GPG, but still, I don't think using HTTPS transport instead of HTTP would be too hard, considering how crucial this is security-wise.
Edit: I mostly want to protect myself from MitM attacks (including just traffic sniffing), not Debian mirror administrators. HTTP repositories put the whole system set up on the table for anyone snooping traffic to Debian mirrors.
Best Answer
There is. You need to install the package
apt-transport-https. Then you can use lines likein your
sources.listfile. But usually that's not necessary, since the entire content is public anyway and it adds encryption overhead and latency. Since you don't trust an attackers public key, even http traffic is safe from MitM attacks.aptwill warn you and fail to install the packages when an attacker injects manipulated packages.EDIT: As mentioned in the comments it is indeed more secure to use the TLS repository. Research shows that using apt on unencrypted repositories can indeed pose a security risk as the HTTP transport is vulnerable to replay attacks.