-
Notifications
You must be signed in to change notification settings - Fork 142
Idea: Use HTTPS for package downloads #403
Comments
I would say leave the default http for both size and not baking in |
@CMeza99 I didn't have to install Anyway, if there's interest, let me know and give me pointers to work on a PR. If not, we can just close this issue. |
Yeah, the size is not a huge difference. And yes, I was incorrect.
But without having CAs, validating the certificate would have to be disabled, correct?
I like the idea. I am just not sure about it being default for consistency, as Debain does not do this by default. (Take my opinion with a grain of salt, as I am a noob to this project). |
What's the point of using HTTPS if you're going to skip verification of peer (certificate expired, certificate revoked, Man in the Middle attack, lack of anchor) and host (certificate hostname does not match hostname used to access it)? It removes all the security provided by the use of SSL/TLS to secure the HTTP exchanges. Don't do that in production environment :) |
@mengelmann My proposal would be installing @CMeza99 I might've installed ca-certificates as a hard dependency of another package that I was installing. To clarify, I'd suggest installing both apt-transport-https and ca-certificates by default. The fact that Debian doesn't do it by default is a fair criticism, though I think that's due to philosophical differences:
Not everyone involved in the Debian project agrees, and there are threads that come up from time to time to discuss this, but no consensus (hard to do with thousands of developers!) There is also an argument for plain HTTP as middle boxes can transparently cache packages. Lastly, I think there's still some value in encrypting even without validating (though all the usual arguments wrt opportunistic encryption and sslstrip apply). It's less risky than usual because integrity checks are still provided by GPG signature verification, and the worst case (someone eavesdrops and can see what packages you're installing) is the same as the status quo over HTTP. |
My 2 cents:
|
Hello,
I use the official Debian image on Google Cloud (thanks for your hard work on this), so this idea is in relation to that platform. However, I think images for other clouds are likely to have the same issue.
There was a recent thread on debian-security where Luca Filipozzi pointed out that the Debian CDN (deb.debian.org) supports HTTPS for additional security. It prevents eavesdropping and provides another layer of defense in case there are bugs in the GPG signature verification code, which has happened before.
I'd like to propose installing
apt-transport-https
and using HTTPS source repositories by default, at least for the Big Three hyperscale clouds (Microsoft Azure, Google Cloud, Amazon Web Services), but better yet, for all of them. There is a risk that this could break package upgrades on systems with incorrect timing information due to certificates' validity period, but the risk should be much lower for the hyperscale clouds, which I'd expect to have more accurate timekeeping.I'm happy to work on a pull request, but as this would be my first PR for this project, I require some direction on what must be done. To reduce risk and minimize disruption, we could focus on the next stable release of Debian and leave all existing images as-is.
PS: looks like the same can be done with cloudfront.d.n - https://github.com/andsens/bootstrap-vz/blob/master/manifests/official/ec2/ebs-stretch-amd64-hvm.yml#L31
The text was updated successfully, but these errors were encountered: