[spuz]

I think I understand the exploit but I don't understand whether apt using https would prevent it or not. The author says:

> Yes, a malicious mirror could still exploit a bug like this, even with https.

and:

> I wouldn’t have been able to exploit the Dockerfile at the top of this post if the default package servers had been using https.

So which is it?

[raesene9]

Essentially adding HTTPS would make the attack harder to exploit. It's not that HTTPS is a pancea (it's not) but that it raises the bar to a successful attack.

With HTTP, this can be exploited by anyone who can MITM a connection between you and the APT server or has control of your DNS.

If you consider all the cases like wi-fi hotspots, that's (potentially) quite a large set of attackers, and a relatively easy attack to pull off in a lot of cases.

With HTTPS, the attacker has either to compromise the whole APT mirror or has to get a valid HTTPS certificate for an APT mirror. This is likely harder to pull off, especially when you look at the work on improving CA security that the browser vendors have been doing over the last couple of years.

[gnulinux]

We're talking about a million dollar software designed for governments and is sold only to highest bidders. I refuse to believe using HTTPS would be helpful here. This attack uses state-of-art to exploit HTTP and there is no reason to assume it wouldn't use state-of-art if it were HTTPS.

[hannob]

HTTPS: A malicious mirror operator can pwn you.

HTTP: Everyone can pwn you.

Not saying the first one is ideal, but the second one is definitely worse.

[trulyrandom]

With HTTP an attacker still has to MITM the connection between you and the mirror operator. So, definitely not "everyone".

[cryptonector]

That includes: coffee shops, ISPs, employers, everyone who can hack their routers, anyone who can spoof DNS, etc. That might as well be "everyone".

STOP IT. Though shall use HTTPS.

[trulyrandom]

Fair enough. I agree that HTTPS is valuable here. I was just being overly pedantic, my bad.

[DoctorOetker]

the moment we are talking about monitoring user's software base, we are practically already talking attackers at the skill level of nation states, so yeah "everyone" in the subset of plausible attackers.

[detaro]

Both. Without HTTPS, you can execute the attack if you can MITM the connection to the package repository. If HTTPS is used, you need to be the package repository to do the attack, or need a certificate to MITM the connection so you can pretend to be it.

[gnulinux]

With HTTPS a MitM attacker can still refuse to serve a specific package.

[shinigami]

https prevents an attacker which can compromise the network. It does not prevent an attacker who can compromise the mirror. The author can't compromise an existing mirror, so they wouldn't able to exploit it (through the network) if the servers were using https.