Ubuntu

Why can you not download updates over SSL/TLS?

Asked by Martin Dehnel-Wild

On running `apt-get update && apt-get upgrade` this morning I noticed that all the Get commands were connecting to non-TLS links, e.g.

`Get:1 http://archive.ubuntu.com/ubuntu/ trusty-updates/main base-files amd64 7.2ubuntu5.4 [67.6 kB]`

Not a problem, I thought. I'll just change the URLs in `/etc/apt/sources.list` to `https://archive.ubuntu.com/...`, and that will allow me to get updates without possibility of the downloads being tampered with en-route.

Except `https://archive.ubuntu.com/` rejects all connections.

Why is this?

If this is a deliberate choice not allow updates over TLS then I'd like to understand the reasoning behind it (this being very different to allowing updates over both *http* and *https*).

If this is just an oversight, could I request that a TLS certificate is provided, and the ability to use TLS enabled?

If this is available, and I've just missed how to use it, then I'm very sorry for missing this; could I therefore request that the TLS connection is used by default, and only downgrades to HTTP if HTTPS is not available on that platform?

I appreciate that the packages are signed, but I think it would still be beneficial to allow HTTPS connections.

Many thanks,

Martin Dehnel-Wild

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Solved by:
actionparsnip
Solved:
Last query:
Last reply:
Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#1

The download server isnt listening on HTTPS, Just HTTP. You can't just change the line and expect it to work.

You could report a bug to get it added, but the packages are MD5 hashed and verified before they are installed so you know they are pristine.

Revision history for this message
Martin Dehnel-Wild (mpdehnel) said : 		#2

Hi Andrew,

Yes, I know that it's not as simple as just changing the address to https://archive.ubuntu.com/...; my query is why the domain archive.ubuntu.com rejects all HTTPS connections as a matter of course.

MD5 hashing is not remotely secure; I believe the packages are actually signed with GPG (which is much more secure than MD5), but this is not the point: TLS should still be offered as an option, as the integrity of packages and updates is of the utmost importance for security. If Ubuntu is to take a 'defence-in-depth' approach, multiple layers of security ought to be offered, e.g. TLS and GPG.

Revision history for this message
Best actionparsnip (andrew-woodhead666) said : 		#3

I suggest you report a bug.

Revision history for this message
Martin Dehnel-Wild (mpdehnel) said : 		#4

Thanks actionparsnip, that solved my question.