Ubuntu

kernel.ubuntu.com doesn't serve packages or checksums via HTTPS

Asked by Victoid

Isn't it trivial to MITM both a kernel package and its checksum, since kernel.ubuntu.com doesn't serve its ppa over HTTPS? There is no secure transport to receive the checksum for verification.

It seems like it would be a minor increase in load to simply enable HTTPS on kernel.ubuntu.com.

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Solved by:
Victoid
Solved:
Last query:
Last reply:
Revision history for this message
Manfred Hampl (m-hampl) said : 		#1

There is already Bug #1464064 requesting that https should be enabled on all Ubuntu repository servers.

Revision history for this message
Victoid (djvictoid) said : 		#2

I can't believe this was argued over two years ago without resolution. The certificates are free, and it takes negligible effort to switch on https.

Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#3

Don't you mean kernel.ubuntu.com?

kernel.ubuntu.org doesn't resolve.

Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#4

Certificates aren't free by the way. Some are very cheap but unless you are using self-signed it's not free

Revision history for this message
Victoid (djvictoid) said : 		#5

Yes, sorry, I typo'd the kernel team repo. My apologies.

Yes, certificates are free. Let's Encrypt provides free certificates in use by many major nonprofits. It's quite well-known at this point. https://letsencrypt.org/

Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#6

I wouldn't use a free cert for something like Ubuntu.

I suggest you report a bug

Revision history for this message
Victoid (djvictoid) said : 		#7

This is like screaming into the wind. Certs aren't free, but you wouldn't use a free cert. OK.