Does apt-get
use https or any kind of encryption? Is there a way to configure it to use it?
Does apt-get
use https or any kind of encryption? Is there a way to configure it to use it?
apt-get
(and other package manipulation commands, which are a front-end to the same APT libraries) can use HTTP, HTTPS and FTP (and mounted filesystems). If you specify https://
URLs in /etc/apt/sources.list
and /etc/apt/sources.list.d/*
, then APT will use HTTPS.
APT verifies the signature of packages. So you do not need to have a form of transportation that provides data authentication. If an attacker modifies the files you're downloading, this will be noticed. Using a signature verification is better than using an HTTPS connection, because it'll detect an attack on the server you're downloading from, not just an attack in transit.
More precisely, the (simplified) data flow for a package is the following:
HTTPS ensures that step 4 happens correctly. The package signatures ensure that steps 2 to 4 happen correctly.
In fact, there is one small benefit to HTTPS for step 4: the package signatures only ensure that the package is authentic. An attacker in step 4 could impersonate a legitimate server and serve stale versions of the package. For example, the attacker could prevent you from downloading any security updates, in the hope of exploiting a vulnerability on your machine that you would have patched if it wasn't for the attack. This isn't a very realistic scenario, because it requires an active attacker (so that would have to be someone in control of your Internet connection), but it could happen in principle.
The other benefit to HTTPS would be if you're trying to hide the fact that you're downloading Ubuntu packages from someone snooping on your network connection. Even then, the eavesdropper could see what host you're connecting to; if you connect to an Ubuntu mirror and download hundreds of megabytes, it's clear that you're downloading Ubuntu packages. The eavesdropper could also mostly figure out which packages you're downloading from the size of the files. So HTTPS would only be useful if you're downloading from a server that also offers other files of similar size — I don't see any point except for third-party packages, and only in very unusual circumstances.
To reiterate: the usual benefit of HTTPS, which is that you know you're connected to the real server, is useless when you're downloading Ubuntu packages. The signature verification on packages gives a stronger guarantee than what HTTPS can provide.