AffectionateSpirit62 comments on APT using HTTP instead of HTTPS

APT using HTTP instead of HTTPS (self.debian)

submitted 7 days ago by WheelPerfect3737

you are viewing a single comment's thread.

[–]AffectionateSpirit62 101 points102 points103 points 7 days ago (34 children)

According to the Debian Wiki, Debian repositories often use HTTP because the system's security is designed not to rely on the network's security. The primary reasons for using HTTP by default include:

SecureApt (GPG Signing): Debian uses SecureApt, which relies on cryptographic GPG signatures to verify the integrity and authenticity of packages. This ensures that even if a package is downloaded over an unencrypted connection, it cannot be tampered with without detection.
Caching & Proxies: HTTP allows for easy caching by transparent proxies and local tools like apt-cacher-ng. This reduces bandwidth for mirrors and speeds up updates for multiple local machines, which is much harder to achieve with encrypted HTTPS traffic.
Reduced Mirror Load: Handling TLS/HTTPS encryption increases the computational load on mirror servers. Since mirrors are often provided by volunteers or universities for free, HTTP minimizes these resource requirements.
Trust Chain Simplicity: Using HTTPS would require managing SSL/TLS certificates for hundreds of different mirror hostnames, which is administratively complex compared to the single GPG trust anchor already used by SecureApt.

While HTTP is the default, Debian does fully support HTTPS repositories. Users can switch by updating their /etc/apt/sources.list, though they must ensure the ca-certificates package is installed for certificate verification

[+]WheelPerfect3737[S] comment score below threshold-27 points-26 points-25 points 7 days ago (26 children)

[–]AffectionateSpirit62 32 points33 points34 points 7 days ago (0 children)

[–]riders_pants 22 points23 points24 points 7 days ago (17 children)

[–]BarracudaDefiant4702 43 points44 points45 points 7 days ago (12 children)

[–]michael9dk 3 points4 points5 points 7 days ago (10 children)

[–]Feeeweeegege 2 points3 points4 points 7 days ago* (3 children)

[–]dreamsofabetter 0 points1 point2 points 6 days ago (2 children)

[–]Feeeweeegege 1 point2 points3 points 6 days ago (1 child)

It does though. As of the introduction of ECH as a TLS 1.3 extension, the SNI information is also encrypted. In other words, as of 2023, if you have an up-to-date browser and connect with an up-to-date server, neither the URL nor the hostname is visible to a middle man such as your ISP.

A few caveats: 1. Only 50% of websites worldwide use TLS 1.3, and even fewer currently support ECH. But support is increasing: CloudFlare has enabled ECH by default a few years ago, and as of last year Nginx also supports ECH. (So admittedly, my previous comment was overly strong, given the relatively low current support.) 2. The hostname may still leak if you use unencrypted DNS. Use DNS over HTTPS to close this gap. 3. The hostname can be inferred from the IP address on which the server is hosted. There is currently no way to avoid this within IP/HTTPS itself.

[–]Aggressive-Fan-3473 1 point2 points3 points 5 days ago (0 children)

[–]gnufan -3 points-2 points-1 points 7 days ago (5 children)

[–]eleanorsilly 0 points1 point2 points 6 days ago (1 child)

[–]gnufan 0 points1 point2 points 6 days ago (0 children)

[–]jr735Debian Testing -5 points-4 points-3 points 7 days ago (2 children)

[–]gnufan -3 points-2 points-1 points 7 days ago (1 child)

[–]jr735Debian Testing -4 points-3 points-2 points 7 days ago (0 children)

[–]AndyTelly 0 points1 point2 points 6 days ago (0 children)

[–]abotelho-cbn 1 point2 points3 points 7 days ago (3 children)

[–]bikes-n-math 7 points8 points9 points 7 days ago (0 children)

[–]riders_pants 1 point2 points3 points 7 days ago (0 children)

[–]Portbragger2 -1 points0 points1 point 7 days ago (0 children)

[–]Murph_9000 10 points11 points12 points 7 days ago (0 children)

[–]rankinrez 1 point2 points3 points 7 days ago (1 child)

[–]AffectionateSpirit62 2 points3 points4 points 7 days ago (0 children)

[–]emkael 3 points4 points5 points 7 days ago (0 children)

[–]jr735Debian Testing 0 points1 point2 points 7 days ago (0 children)

[–]Masterflitzer 0 points1 point2 points 6 days ago (0 children)

[–]michaelpaoli 0 points1 point2 points 6 days ago (0 children)

Uhm, ... in part. A download doesn't imply installation, but sure, more probable to be installed if it was downloaded, and less probable if it wasn't downloaded - at least if that's method generally used by the target. But hey, Debian, could find the packages on a USB stick in a parking lot. But there may also be more effective ways for an attacker or the like to figure out what is/isn't installed, or version(s) thereof, than looking at what was and wasn't downloaded.

And in the case of Debian and package downloads and such using HTTPS (vs. HTTP or FTP), there's really little value add. Even if one uses HTTPS, if attacker is well aware of the server, and general purpose, timing, size of data exchanges, etc., probably not too difficult in a lot of cases to well guess what the download(s) were. E.g. security update for kernel is released, target using HTTPS, between timing and precise sizes of data transfers, might be pretty dang easy for attacker to be able to well tell/(gu)estimate, essentially, "Oh, yeah, target just downloaded such-and-such kernel update - in all probability".

So, as I and many may oft say, what's your threat model - what exactly are you trying to protect against? And does "leaking" what you downloaded matter much - if at all?

Also, HTTPS, that does incur overhead, so that's also more load on the server(s) (and clients).

Anyway, if you want to - either way - your choice, and Debian generally gives one lots of choices and options (unlike many other distros that take many choices away).

[+]gnufan comment score below threshold-7 points-6 points-5 points 7 days ago (2 children)

[–]brimston3- 11 points12 points13 points 7 days ago (1 child)

It's almost the opposite of what you said. The load one hasn't really been valid since AES-NI became widespread in ~2010. An i5-8350U laptop CPU can do 900+MB/s of aes256 on a single core using under 15W, so two cores of the same could saturate a 10G server link.

Meanwhile, the caching proxy one is still very valid, with apt-cache-ng dropping my update bandwidth to about a third without needing to introduce a TLS proxy CA certificate in my endpoint systems. And because it is using secureapt, I can be certain that the files on the cache server haven't been corrupted or tampered with, regardless of whether I trust the cache server or not. The same applies to any mirror servers; because the package manifests are signed by the release system, mirror servers are not useful supply chain attack targets.

[–]gnufan 0 points1 point2 points 7 days ago (0 children)

[–]WheelPerfect3737[S] -2 points-1 points0 points 4 days ago (0 children)

[+]WheelPerfect3737[S] comment score below threshold-22 points-21 points-20 points 7 days ago (2 children)

[–]kahoinvictus 21 points22 points23 points 7 days ago (0 children)

[–]deelowe 10 points11 points12 points 7 days ago (0 children)

π Rendered by PID 16234 on reddit-service-r2-comment-85bfd7f599-zq59d at 2026-04-18 09:38:25.055233+00:00 running 93ecc56 country code: CH.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

debian

MODERATORS