APT (advanced packaging tool) is a program for installing, updating, and uninstalling software packages on Debian operating systems and those based on them (Ubuntu, Linux Mint, etc.). Sometimes also used in Mandrake-based distributions. Packages are downloaded over the Internet from repositories over an unprotected connection , without using the TLS protocol and encryption. The question arises: why? Doesn't HTTPS provide better security? Debian believes that HTTPS is an unnecessary entity, since the SecureAPT system checks the checksum for the downloaded files and the cryptographic gpg-signature of the entire package.

One of the Debian developers launched the website whydoesaptnotusehttps.com (“Why APT does not use HTTPS”), where it explains the official position.

How SecureAPT Works

First, apt compares the hashes of files from the package. They are published on the Debian website in the Release ...

MD5Sum: 6b05b392f792ba5a436d590c129de21f 3453 Packages 1356479a23edda7a69f24eb8d6f4a14b 1131 Packages.gz 2a5167881adc9ad1a8864f281b1eb959 1715 Sources 88de3533bf6e054d1799f8e49b6aed8b 658 Sources.gz 

... and transmitted along with the package.

 Package: uqm Priority: optional ... Filename: unstable/uqm_0.4.0-1_i386.deb Size: 580558 MD5sum: 864ec6157c1eea88acfef44d0f34d219 

To protect the Release file from forgery, the SecureAPT system adds the gpg digital signature, which is in the Release.gpg file:

 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQBCqKO1nukh8wJbxY8RAsfHAJ9hu8oGNRAl2MSmP5+z2RZb6FJ8kACfWvEx UBGPVc7jbHHsg78EhMBlV/U= =x6og -----END PGP SIGNATURE----- 

The apt program downloads the Release.gpg file and verifies the signature using trusted public keys, which are stored in the /etc/apt/trusted.gpg file. By default, the public key of the Debian archive is recorded there.

 joey@dragon:~>sudo apt-key list /etc/apt/trusted.gpg -------------------- pub 4096R/55BE302B 2009-01-27 [verfällt: 2012-12-31] uid Debian Archive Automatic Signing Key (5.0/lenny) <ftpmaster@debian.org> 

This is the last line of defense, so Debian periodically changes the keys. New keys are distributed with the debian-archive-keyring package and are also published on the web page .

After the publication of the new public key, another procedure occurs. The secret key that was used to generate the public key is divided into five parts using the gfshare program and distributed among five reputable developers according to Shamir's secret sharing scheme. To restore the secret, at least three of the five developers must provide their own part of the secret. The mathematical proof of Shamir's scheme was published on Habré : it is based on the fact that an unlimited number of polynomials of degree 2 can be drawn through two points on the plane. To choose the only one of them, we need a third point. Simply put, the scheme is based on polynomial interpolation.


So, in the SecureAPT system, the secret key is divided into five parts and securely protected, the cryptographic signature of the Release file is checked with a publicly available public key, and the checksums of the files from the package are stored in this file. Why use HTTS if everything is so secure?

Why use HTTP?

The main objective of HTTPS is to hide traffic from prying eyes (provider, government services and other intruders) so that a third party cannot:

1. Intervene in traffic (modify it).
2. Listen to traffic (information gathering, intelligence).

The SecureAPT system partially protects against the first threat, but not against the second one. Since the packets are transmitted through open channels, an outsider sees which particular packets are being downloaded and from where. An attacker can also replace the packages and the digital signature, but then it will not pass the check.

Debian developer writes:

HTTPS does not provide meaningful privacy for receiving packets, since an attacker usually sees which hosts you are contacting. If you connect to the distribution mirror, it will be completely obvious that you are downloading updates.

This paragraph is probably written at a time when browsers and Internet services did not begin to support DNS over TLS and DNS over HTTPS (DoH) technology for encrypting DNS traffic. For example, in April 2018, it was implemented by one of the largest CDN providers Cloudfalre, and in October 2018, Google Public DNS also included support for DNS over TLS .

Thus, after appropriate configuration of the system, you can effectively hide DNS requests from an unauthorized person who listens to traffic. Also, there is an active work on the introduction of other technologies that hide the addressee of the packages. That is, in the future, HTTPS will still be able to ensure proper confidentiality.

Debian gives another argument: even on an encrypted connection, “it’s easy to find out which files the user is downloading by traffic size”. This “vulnerability” can be used even when analyzing traffic through Tor .

Finally, Debian sees no reason to completely trust certification authorities: there are more than 400 CAs that offer certificates for any domain. Many have a bad reputation, and some are directly controlled by the state. It's hard to determine which CA you can trust .

Thus, according to Debian, the most important thing is to ensure the authenticity of the files in the package, and not to protect the connection itself.

Why not implement HTTPS over the existing SecureAPT mechanism? The developer considers this a complex engineering task that requires the secure exchange and storage of secret keys. In addition, the introduction of HTTPS implies “misleading users regarding the level of security and privacy” for the reasons described above.

In 2019, the deliberate rejection of HTTPS looks quite extravagant, so the position of Debian provoked a lively discussion on Hacker News , where commentators put forward several counter-arguments.

What do you think, is it necessary to encrypt apt traffic? (Poll below).

---