i saw an apt update come through in my downloads last week. it wasn’t until a couple days later that i found this article. a good reminder to keep on top of updates
i thought this paragraph was interesting especially since https has become fairly close to a universal standard:
He also pointed out that, “By default, Debian and Ubuntu both use plain http repositories out of the box.” While there’s heated debate over whether the more secure https actually improved apt security, Justicz knows his position: “I wouldn’t have been able to exploit the Dockerfile at the top of this post if the default package servers had been using https.”
Thanks. It is a good warning to us all to make sure we apply the updates as soon as possible and not leave them
I always wondered why they aren’t just using https, but I guess at least I’m right, after all.
that was kind of my thought when i read that. i’m no security expert, but it just made me scratch my head.
The point nowadays is, that it basically costs no effort and doesn’t even have to cost money to set up HTTPS. Sure, when Debian came out it was a different story. But now, actually everything should be HTTPS enabled (and even forced), except it explicitly doesn’t work, technically.
P. S. : Check out HTTPS Everywhere browser plugin.
part of the only reason i kind of understand this debate is because https everywhere has been a standard include in firefox for some time now. i am currently reading some of the follow-up links from the article, but so far all i get is “well, https doesn’t protect from as much as you might think” countered by “even if it only protects from rare man-in-the-middle single system cases, itsn’t that worth shutting down?”.
That is not an argument to me. If I can improve the security of any online accessed resource for FREE even by just 1%, why not just do it? For a webmaster it takes 2 minutes anyway, to set up Let’s Encrypt.
quite agreed. i only included that (very paraphrased) version of the pro-http argument for the sake of stating it because it seems to be why that is the present standard.
If you are wondering why apt doesn’t use https, you should read this:
That’s a new slant.
But when installing with Debian’s net-installer, at the mirror or apt settings, (can’t quite remember precisely, which) it states it best practise to use http rather than https. As https and the firewall do not fully co-operate.
Thanks for that link. Very interesting and informative and I learnt from it .
Good point, thanks for passing this on.
So I wonder how long the exploit has been there? Probably through out the whole time that Linux has been running and no one were any of the wiser? Who knows? Just goes to show how damn quick Linux developers are at fixing things. Keep your system up to date is the best advice to give anyone, on whatever platform or OS.