top | item 17143864

Ask HN: Why aren't distro updates delivered https?

3 points| galeforcewinds | 7 years ago

Why don't CentOS/Fedora/Ubuntu deliver all package updates over https, and encourage third-party package providers to do the same?

I understand SSL/TLS reduces the risk of data tampering and reduces the risk of snooping what data is downloaded.

Though risk data tampering may also be reduced through the validation of cryptographically signed packages as many distros do, it would seem there remains a residual risk of exposing to the network which updates a system has downloaded. Is there reason this isn't of concern?

3 comments

mattdm|7 years ago

Note that Fedora distributes metalinks to mirrorlists via https, and the main mirror at https://dl.fedoraproject.org/pub/ also uses https. We don't mandate that for our (volunteer!) mirror network, but many mirrors _are_ https. (See https://admin.fedoraproject.org/mirrormanager/mirrors/Fedora... for the current list.)

gargravarr|7 years ago

Large organisations, and small, mine included, will generally host an internal mirror of packages. Download the entire archive once a day, serve out to all computers as necessary, making use of the higher bandwidth on the LAN.

As you mention, package checksums are signed using GPG to detect tampering. HTTPS adds very little benefit for such a scenario, and by sticking to plaintext, you can slightly increase the throughput since the server does not need to encrypt all the data it sends out. You also then need to coordinate SSL updates and manage server key security to machines that handle extremely high amounts of traffic continuously. Owing to the above, since many companies and volunteers around the world run mirrors and the Linux community is very open to running such mirrors, it's impossible to enforce SSL across the board.

Even if an attacker were to monitor the download and take note of the package installation, it would tell them very little. Provided the download is not tampered with, the chances are that it is a security update that will improve the system's security.

Many third-party APT sources do indeed use HTTPS (Microsoft, Docker and Yarn come to mind). Due to GPG package verification, this adds very little additional benefit, especially since the data being transferred is public anyway.

Edit: I would also add, some places do not run full mirrors but instead run caching proxy servers, which would not work with HTTPS (without doing some very messy and controversial interception). While this isn't totally what APT was designed for, it's generally the Linux philosophy to make updates and new software widely available as easily as possible.

elmerfud|7 years ago

I think you've mentioned the primary reasons distributors don't consider it a concern. If snooping the the package lists to determine the update list is considered a risk / attack vector, then this is mitigated by running your own mirror with https. Any environment that's at the level where this is one of their security concerns, I would argue is at the point they should have their own mirror, for not only this reason but for the many other benefits it provides.