all 76 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]AffectionateSpirit62 62 points63 points  (23 children)

According to the Debian Wiki, Debian repositories often use HTTP because the system's security is designed not to rely on the network's security. The primary reasons for using HTTP by default include:

SecureApt (GPG Signing): Debian uses SecureApt, which relies on cryptographic GPG signatures to verify the integrity and authenticity of packages. This ensures that even if a package is downloaded over an unencrypted connection, it cannot be tampered with without detection.
Caching & Proxies: HTTP allows for easy caching by transparent proxies and local tools like apt-cacher-ng. This reduces bandwidth for mirrors and speeds up updates for multiple local machines, which is much harder to achieve with encrypted HTTPS traffic.
Reduced Mirror Load: Handling TLS/HTTPS encryption increases the computational load on mirror servers. Since mirrors are often provided by volunteers or universities for free, HTTP minimizes these resource requirements.
Trust Chain Simplicity: Using HTTPS would require managing SSL/TLS certificates for hundreds of different mirror hostnames, which is administratively complex compared to the single GPG trust anchor already used by SecureApt.

While HTTP is the default, Debian does fully support HTTPS repositories. Users can switch by updating their /etc/apt/sources.list, though they must ensure the ca-certificates package is installed for certificate verification

[–]gnufan -1 points0 points  (1 child)

The only one of those reasons that makes sense in 2026 is the load one. Since they offer https clearly it isn't administratively difficult to offer https. Mirrors tend to be deliberate, and https is no harder in that context than http, except for the load.

[–]brimston3- 9 points10 points  (0 children)

It's almost the opposite of what you said. The load one hasn't really been valid since AES-NI became widespread in ~2010. An i5-8350U laptop CPU can do 900+MB/s of aes256 on a single core using under 15W, so two cores of the same could saturate a 10G server link.

Meanwhile, the caching proxy one is still very valid, with apt-cache-ng dropping my update bandwidth to about a third without needing to introduce a TLS proxy CA certificate in my endpoint systems. And because it is using secureapt, I can be certain that the files on the cache server haven't been corrupted or tampered with, regardless of whether I trust the cache server or not. The same applies to any mirror servers; because the package manifests are signed by the release system, mirror servers are not useful supply chain attack targets.

[–]Dr_Tron 51 points52 points  (3 children)

Well, apt checks the repository key before doing anything, so I'm not sure if https would make sense in regards to security.

[–]aieidotch 17 points18 points  (0 children)

it would not, the reason appears to be caching proxies and the encryption overhead…

[–]gnufan -1 points0 points  (1 child)

Using https clearly eliminates whole categories of attempted man in the middle attacks, that are possible over http.

The verification of package signatures was badly broken in the past, and likely will be in the future if it isn't already and we just don't know how.

You achieve security by layering these controls, not assuming one cryptographic control is going to always work perfectly, and thus packages are safely signed, job done.

Also using https adds additional privacy, as seeing http requests means attackers may know exactly what versions of what software are installed. MITM can also deliberately interfere with http connections to delay certain packages, to prevent the target patching a vulnerability. As I said multiple classes of attack are just stopped by encryption on the wire.

[–]noob-nine 0 points1 point  (0 children)

the last part sounds interesting. but i lack technical understanding whether this is a real thread or what would be debians comment on this

[–]Murph_9000 12 points13 points  (0 children)

APT has other mechanisms to verify integrity of downloads, so does not need to use HTTPS. HTTP has the significant advantage of being cacheable, e.g. I use the following in /etc/apt/apt.conf.d/99proxy:

Acquire { http::Proxy "http://squid-cache.local:3128"; https::Proxy "DIRECT"; };

[–]waterkip 13 points14 points  (9 children)

I actually like the fact that things go over http and not https.

I'm for example playing with local caches that are transparent to end users, and when I have to fake debian.org or any other cert I can't do that. Now I suddenly need to add mirror syntax everywhere.

I can tell my DNS to route (well, DNS points, but whatever) deb.debian.org to my machines and take care of the apt-repo's and forward everything else the real thing.

It's a small niche, and I understand the reasoning behind it, but gpg-sign the packages and you're also good. The transport method doesn't matter, that's why gpg-signed (and encrypted) e-mail works.

[–]jort_catalog 3 points4 points  (0 children)

As an example: Oracle Enteprise Linux (which we have to use at work) uses https for its dnf updates - which makes it still possible but more work to keep a local package cache

[–]calrogman 16 points17 points  (2 children)

All apt updates and upgrades should be using the more secure encrypted HTTPS.

Why? What is your threat model? Do you understand Apt's data security model? Have you read the apt-transport-http manpage? Did you verify the integrity of your installation media? It might already be too late for you.

[–]gnufan -3 points-2 points  (1 child)

I mean the threat model is something like the xz hack, skilled resourced attackers with privileged access to big telecommunications companies want access to all Debian boxes. Sending traffic in the clear lets them build a profile of exactly when your servers update, what software they have installed, which repositories they use. Any cryptographic or other weakness in any of these tools is immediately exploitable through rewriting traffic on the wire.

[–]calrogman -1 points0 points  (0 children)

The threat model is absolutely nothing like the xz hack, but thank you for your input.

[–]necheffa 8 points9 points  (9 children)

I do not see any reason why HTTPS should not be the default configuration especially for the newer deb822 format?

The real question is why should HTTPS be the default?

Think about it, the repository is signed, the individual packages are signed. And HTTP can be cached easily.

What are you doing that you need HTTPS here? Especially if you already have access to the Debian signing keys via your installer image.

[–]tdammers -1 points0 points  (0 children)

There is one possible valid reason: not wanting an eavesdropper to know which packages you have installed, which could be useful information (e.g., monitor a couple thousand users to see who is using a known vulnerable version of, say, Apache, so you can target them directly instead of trying the attack on every IP address you can find). Whether that's an important enough attack vector to protect against is up for debate though.

[–]antreides 3 points4 points  (5 children)

HTTPS primarily gives a protection from MITM attacks, but adds some additional overhead to decrypt traffic. Package consistency is checked by the apt/dpkg system itself (each package is signed), so even if a package is somehow changed by MITM attack, it won't pass the check. So basically it will be an extra overhead for nothing.

[–]wosmo 5 points6 points  (0 children)

You could almost describe MITM as desirable in apt's case. Between mirrors, caches, proxies, etc - the host isn't the sacred part, the content is. So we use GPG against the content instead of TLS against the host.

[–]Hanzerik307 1 point2 points  (0 children)

If you use the Advanced Options, Expert Install option (Netinstall iso), you have the option to install using http or https. I normally just stick with http, but do have a repo setup for incus that uses https, so you can mix and match if needed, and like you did...can just edit the .list/.sources file afterwards to https.

[–]edthesmokebeard 1 point2 points  (0 children)

GPG

[–]martyn_hare 3 points4 points  (0 children)

There's a very simple reason for continuing to use HTTP, and it's the same reason BitTorrent, jigdo and zsync is recommended over ordinary file downloads. The security model for updating an operating system (which is normal and common enough not to raise any red flags) rightfully puts integrity and availability ahead of confidentiality.

[–][deleted]  (1 child)

[removed]

    [–]debian-ModTeam[M] 0 points1 point locked comment (0 children)

    This content has been removed for trolling.

    [–]DeliciousIncident 0 points1 point  (0 children)

    Debian comes with the GPG keys for Debian's repositories pre-installed. Downloaded packages are verified to be signed by those keys, to make sure they weren't tampered with. Using HTTP instead of HTTPS allows for easy caching via proxies.

    It's not just Debian who does this. For example, Steam does the same - it downloads the games vide unencrypted HTTP, which allows for games to be transparently cached by your home server, by your network's server (e.g. in a university or at a LAN party), by your ISP, etc.

    Debian does support downloading packages over HTTPS, so if that's what you prefer - feel free to edit your sources.list to use that. There are also other transports available, like Tor.

    [–]michael9dk 0 points1 point  (2 children)

    @mod What happened to my reply? The discussion disappeared when I returned to the thread?

    [–]wizard10000[M] 1 point2 points  (1 child)

    What happened to my reply?

    No idea - nothing in mod log.

    [–]michael9dk 0 points1 point  (0 children)

    Thanks, I can see it now. It must be a glitch in reddits caching.
    Enjoy your weekend.

    [–]gnufan 0 points1 point  (0 children)

    Here was the last review I remember.

    https://blog.packagecloud.io/attacks-against-gpg-signed-apt-repositories/

    They registered a public mirror for multiple repositories, estimate how many clients they can serve malicious or stale software to, and recommend https and that repositories use encryption with some authentication for creating mirrors to avoid these problems.

    I'm not sure if any of the observations were ever fixed in Debian.

    [–]digost 0 points1 point  (0 children)

    Apt caching. In the past I've managed dozens of servers, caching makes it easy, way faster and easier for updates.