On Wed, 15 Apr 2020 07:49:28 -0400 Greg Wooledge <wool...@eeg.ccf.org> wrote:
> On Tue, Apr 14, 2020 at 07:12:47PM -0400, Lee wrote: > > On 4/14/20, Greg Wooledge <wool...@eeg.ccf.org> wrote: > > > Accessing the mirrors via https makes the packages un-cacheable, which > > > makes the traffic volume significantly greater -- and the package lists > > > are already signed, so there's no gain in trustworthiness of the packages. > > > > > > Some people may cite "privacy", as in "I don't want them to know which > > > window manager I use", or something... I do not understand this > > > argument, frankly. It sounds paranoid to me. > > > > How about people that cite "security"? And yes, I take the simplistic > > approach that encrypted=good and clear-text=bad but clear-text allows > > things like > > > > https://www.guardicore.com/2019/01/a-vulnerability-in-debians-apt-allows-for-easy-lateral-movement-in-data-centers > > > > my understanding is that vuln wouldn't have existed if https had been used. > > That was a one-time bug, and was fixed quickly. People have blown it > way out of proportion. > > The general answer for people who think "it's not https so it's not secure" > is already given at <https://whydoesaptnotusehttps.com/>. As that site notes: > However there may be other security benefits to using HTTPS for apt > updates, in that it should greatly increase the difficulty for a > man-in-the-middle attacker to exploit future bugs in APT, or to IIUC, this is pretty much what happened to OpenWRT recently: https://arstechnica.com/information-technology/2020/03/openwrt-is-vulnerable-to-attacks-that-execute-malicious-code/ They were using SHA2565 checksums to verify packages, not GPG signing, but the vulnerability was caused by buggy code that allowed the hash check to be bypassed, which I suppose could hit a GPG based system as well ... Celejar
