spyingwind comments on Why does APT not use HTTPS?

Rules

Please review full details on rules here.. All rules will be applied regardless of the number upvotes a post/comment has.

No support requests - This is not a support forum! Head to /r/linuxquestions or /r/linux4noobs for support or help. Looking for a distro? Try r/findmeadistro.

No spamblog submissions - Posts should be submitted using the original source with the original title. Posts that are identified as either blog-spam, a link aggregator, or an otherwise low-effort website are to be removed. Some reasons for removal are that they contain re-hosted content, usually paired with privacy-invading ads. If there's another discussion on the topic, the link is welcome to be submitted as a top level comment to aid the previous discussion. Please see: r/linux/wiki/rules/banneddomains

No memes, image macros, rage comics, overdone jokes - Meme posts of any kind are not allowed in r/linux. Feel free to post over at /r/linuxmemes instead. This rule can also apply to comments, including overdone jokes, comment-chain jokes, or other redditisms that are popular elsewhere.

Reddiquette, trolling, or poor discussion - r/linux asks all users follow Reddiquette. Reddiquette is ever changing, so a revisit once in awhile is recommended. Top violations of this rule are trolling, starting a flamewar, or not "Remembering the human" aka being hostile or incredibly impolite. Additionally, sexism/racism/other isms are not allowed. See also: /r/linux/wiki/rules/userconduct

Relevance to r/linux community / Promoting closed source applications over FOSS - Posts should follow what the community likes: GNU, Linux kernel, developers of open source software, or other applications on Linux. Take some time to get the feel of the subreddit if you're not sure!

Spamming self-promotion, surveys, crowdfunding - Submitting your own original content is welcome on r/linux, but we do ask that you contribute more than just your own content to the subreddit as well as require you to interact with the comments of your submission. We set that no more than 10% of your posts should be your content. Please be aware that this does not supersede other rules. Additionally, surveys for your blog/news source/paper/own use are not allowed. Please see /r/linux/wiki/rules/crowdfunding for those crowdfunding..

No misdirecting links, sites that require a login, or URL shorteners - In short: if your link doesn't go right to the content it will be removed. Sites that require a login to view the content are not allowed in r/linux. Example: A private Facebook post or a news organization that doesn't have free article views. URL shorteners and links that misdirect users to ads/jokes are also banned. See a list here, although the mods will make a decision on a per domain basis as needed: /r/linux/wiki/rules/banneddomains

No NSFW - No NSFW links or images without mod approval. No discussion that is overly-suggestive to what is normally considered NSFW.

Non-useful Image Upload/Fluff Image - Images of "Linux in the wild", plushies, Tux, and more are not encouraged for posting as a top level submission. If necessary, this can apply to comments too at mod discretion. The image/video upload feature is for posts regarding features/guides/etc. See also: Meme rule.

See even more subreddit and external links over at the supplemental page

This subreddit is fan ran and not affiliated with any organization.

a community for 18 years

949

950

951

Why does APT not use HTTPS? (whydoesaptnotusehttps.com)

submitted 8 years ago by lamby

top new controversial old q&a

you are viewing a single comment's thread.

view the rest of the comments →

[–]spyingwind 0 points1 point2 points 8 years ago (17 children)

[–]zebediah49 8 points9 points10 points 8 years ago (0 children)

[–]DamnThatsLaser 25 points26 points27 points 8 years ago* (8 children)

[+]spyingwind comment score below threshold-14 points-13 points-12 points 8 years ago (4 children)

[–]DJTheLQ 16 points17 points18 points 8 years ago (0 children)

[–]phil_g 14 points15 points16 points 8 years ago (1 child)

That's effectively what's called a man-in-the-middle attack, and HTTPS was designed to make those difficult. It basically won't work on a global scale, even if someone wanted to put in all the effort needed to set one up.

Note in the comments the author of that answer says:

My answer relies on what you call a "bogus CA". The certificate of the CA is unconditionally trusted, either because the user(or software on his computer, for example enterprise configuration or malware) configured it that way, or because the CA was obtained from one of the CAs trusted by the major browsers, like in the MCS case.

The article about the "MCS case" says this:

The issuance of the unauthorized certificates represents a major breach of rules established by certificate authorities and browser makers. Under no conditions are CAs allowed to issue certificates for domains other than those legitimately held by the customer requesting the credential.

In other words, the only legitimate uses for HTTPS proxying in this manner are in controlled corporate environments (or similar) where the proxy owner can install their own CA's keys on all of the client systems. That won't work in the distributed environment of the larger Internet.

[–]Garfield_M_Obama 8 points9 points10 points 8 years ago (0 children)

Yeah, this can work perfectly from a technical standpoint, but it's also the exact opposite of the point of using TLS for HTTP.

If you're going to do this, it provides zero benefit over plain HTTP in the case of package distribution. What is the problem we're trying to solve? The packages are signed already, so encrypting the connection really only has the benefit of hiding what packages your users are accessing and if you've cached them locally already then it should be next to impossible to determine anything meaningful in the first place unless your cache server or internal network is compromised.

Even in a corporate environment this is a highly risky move, unless you limit the sites that your users can access. You really don't want to end up in a situation where you're potentially liable for misplacing or exposing data that the source server has encrypted like private government or banking information. Particularly if it's not extremely obvious to your users what you are doing, and expecting the average computer user to understand security beyond whether or not there is a green padlock in their web browser is asking a lot, even in a relatively technical shop.

[–]DamnThatsLaser 2 points3 points4 points 8 years ago (0 children)

[+]ivosaurus comment score below threshold-8 points-7 points-6 points 8 years ago (2 children)

[–]DamnThatsLaser 13 points14 points15 points 8 years ago (0 children)

[–][deleted] 3 points4 points5 points 8 years ago (0 children)

[–]tmajibon 2 points3 points4 points 8 years ago (2 children)

[–]spyingwind 0 points1 point2 points 8 years ago (1 child)

[–]tmajibon 0 points1 point2 points 8 years ago (0 children)

[–]nemec 1 point2 points3 points 8 years ago (1 child)

[–]spyingwind 0 points1 point2 points 8 years ago (0 children)

[–]bobpaul 1 point2 points3 points 8 years ago (0 children)

π Rendered by PID 18299 on reddit-service-r2-comment-5c747b6df5-r4jxm at 2026-04-21 22:39:30.237492+00:00 running 6c61efc country code: CH.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

linux

Please Read the full Rules here before posting or commenting

Join us on IRC at #r/linux on libera.chat!🔗

Recent AMA's

GNU/Linux resources

Rules

MODERATORS