apt-get (and other package manipulation commands, which are a front-end to the same APT libraries) can use HTTP, HTTPS and FTP (and mounted filesystems). If you specify https:// URLs in /etc/apt/sources.list and /etc/apt/sources.list.d/*, then APT will use HTTPS.
APT verifies the signature of packages. So you do not need to have a form of transportation that provides data authentication. If an attacker modifies the files you're downloading, this will be noticed. Using a signature verification is better than using an HTTPS connection, because it'll detect an attack on the server you're downloading from, not just an attack in transit.
More precisely, the (simplified) data flow for a package is the following:
The package is produced on a build machine.
The package is signed on the build machine.
The signed package is copied to a download mirror.
You download the package.
HTTPS ensures that step 4 happens correctly. The package signatures ensure that steps 2 to 4 happen correctly.
In fact, there is one small benefit to HTTPS for step 4: the package signatures only ensure that the package is authentic. An attacker in step 4 could impersonate a legitimate server and serve stale versions of the package. For example, the attacker could prevent you from downloading any security updates, in the hope of exploiting a vulnerability on your machine that you would have patched if it wasn't for the attack. This isn't a very realistic scenario, because it requires an active attacker (so that would have to be someone in control of your Internet connection), but it could happen in principle.
The other benefit to HTTPS would be if you're trying to hide the fact that you're downloading Ubuntu packages from someone snooping on your network connection. Even then, the eavesdropper could see what host you're connecting to; if you connect to an Ubuntu mirror and download hundreds of megabytes, it's clear that you're downloading Ubuntu packages. The eavesdropper could also mostly figure out which packages you're downloading from the size of the files. So HTTPS would only be useful if you're downloading from a server that also offers other files of similar size — I don't see any point except for third-party packages, and only in very unusual circumstances.
To reiterate: the usual benefit of HTTPS, which is that you know you're connected to the real server, is useless when you're downloading Ubuntu packages. The signature verification on packages gives a stronger guarantee than what HTTPS can provide.
With APT, typically what is more important is not that your connection is encrypted, but that the files you are receiving haven't been tampered with.
APT has built-in signature verification to ensure this.
Encryption would prevent eavesdroppers from being able to see what you are downloading, but what you are actually downloading (and requesting) is pretty uncontroversial: it'll be the same as thousands of other Ubuntu users are downloading and the files contain nothing that isn't freely available on lots of servers. Still, if you need privacy about what packages in particular you're downloading, HTTPS can be used (specify it in your sources.list).
The signature verification that is built in to APT will ensure that the files you receive have not been tampered with. It doesn't really matter where the files come from and it's even possible to have proxies or reverse proxies in between you and the server to reduce server load or speed you up. The signature verification still ensures that you are getting the unmodified file, matching the signature that could only be cryptographically produced with the original file and a copy of Ubuntu's private key.
If you switch to HTTPS, then you won't be able to take advantage of proxy servers for speeding up access or reducing load anymore. And it wouldn't add any more assurance about non-tampering that APT's signature verification doesn't already give. It would, however, mean that eavesdroppers (such as your ISP) will not be able to see which packages you're downloading (which is not likely to be confidential, and as Gilles pointed out they could guess from the file size).
I think this question could use an answer with instructions for the layman, so…
APT still does not use HTTPS by default in daily builds of Ubuntu 19.10 (Eoan) (which is still in development). One can verify this by examining the /etc/apt/sources.list file and noting that all of the source URLs utilize the "http:" URL scheme.
To configure it to use HTTPS, one can follow the following instructions:
First, find a trustworthy official Ubuntu archive mirror that supports HTTPS:
In the table on that webpage, identify mirrors that are (A) hosted on websites you consider to be trustworthy, (B) have an "http:" mirror and, optionally, (C) meet your geographical proximity, server speed, and update freshness preferences.
In the table on that webpage, click an "http" link of a mirror identified in step (2) to visit the "http:" version of the mirror.
In the browser address bar, manually change "http:" in the webpage URL to "https:".
Navigate to the mirror again (via the "https:" URL) to see if it resolves.
If you use Firefox (67.0.4) and have the HTTPS Everywhere (2019.6.27) extension installed with the "Encrypt All Sites Eligible" feature enabled (via the toolbar button panel), steps (4) and (5) can be omitted because the extension will automatically modify the URL to utilize HTTPS, allowing one to more immediately determine whether the "https:" version of the URL will resolve.
Two, update your APT sources list:
Execute the command sudo cp /etc/apt/sources.list /etc/apt/sources.list.backup to backup your update sources list.
Replace the mirror base URL—shown here as https://mirrors.wikimedia.org—in the command sudo sed --in-place --regexp-extended 's http://(us\.archive\.ubuntu\.com|security\.ubuntu\.com) https://mirrors.wikimedia.org g' /etc/apt/sources.list with the mirror base URL of your preferred mirror and, then, execute the command.
Thirdly, you should examine the contents of the /etc/apt/sources.list.d/ directory for "http:" sources that might be changed to "https:" after installing software from outside the Ubuntu archive.
For example, Microsoft's Visual Studio Code package adds a vscode.list file to this directory that specifies an "http:" URL. Simple changing the URL scheme from "http:" to "https:" allows updates over HTTPS.
Consider backing up any such source files before modifying them.
Lastly, perform an update to ensure that updates will work correctly:
Execute the sudo apt-get update command.
If that doesn't work as expected, restore the backup source list file(s) you made by executing the sudo cp /etc/apt/sources.list.backup /etc/apt/sources.list command.
It's also worth noting that there's an apt-transport-https package to add HTTPS support to APT. However, this package is apparently unnecessary according to the webpage https://launchpad.net/ubuntu/eoan/+package/apt-transport-https and has not been needed since APT 1.5 according to the information shown after executing the command apt-cache show apt-transport-https.
Recent APT releases have TLS support built in, so you simply need to replace your package-repository mirror URLs with https-prefixed ones. For Debian, it could look like this:
deb https://deb.debian.org/debian/ stretch main
deb https://deb.debian.org/debian-security stretch/updates main
deb https://deb.debian.org/debian/ stretch-updates main
This is useful, even though APT includes its own signature protocol to ensure packages aren't tampered with, because there can be bugs in APT (as there have been: CVE-2016-1252, CVE-2019-3462). The HTTP/TLS protocols and their ciphers are subject to intense scrutiny, so a severe zero-day vulnerability is much less likely if you add this layer of security.
apt-get
(and other package manipulation commands, which are a front-end to the same APT libraries) can use HTTP, HTTPS and FTP (and mounted filesystems). If you specifyhttps://
URLs in/etc/apt/sources.list
and/etc/apt/sources.list.d/*
, then APT will use HTTPS.APT verifies the signature of packages. So you do not need to have a form of transportation that provides data authentication. If an attacker modifies the files you're downloading, this will be noticed. Using a signature verification is better than using an HTTPS connection, because it'll detect an attack on the server you're downloading from, not just an attack in transit.
More precisely, the (simplified) data flow for a package is the following:
HTTPS ensures that step 4 happens correctly. The package signatures ensure that steps 2 to 4 happen correctly.
In fact, there is one small benefit to HTTPS for step 4: the package signatures only ensure that the package is authentic. An attacker in step 4 could impersonate a legitimate server and serve stale versions of the package. For example, the attacker could prevent you from downloading any security updates, in the hope of exploiting a vulnerability on your machine that you would have patched if it wasn't for the attack. This isn't a very realistic scenario, because it requires an active attacker (so that would have to be someone in control of your Internet connection), but it could happen in principle.
The other benefit to HTTPS would be if you're trying to hide the fact that you're downloading Ubuntu packages from someone snooping on your network connection. Even then, the eavesdropper could see what host you're connecting to; if you connect to an Ubuntu mirror and download hundreds of megabytes, it's clear that you're downloading Ubuntu packages. The eavesdropper could also mostly figure out which packages you're downloading from the size of the files. So HTTPS would only be useful if you're downloading from a server that also offers other files of similar size — I don't see any point except for third-party packages, and only in very unusual circumstances.
To reiterate: the usual benefit of HTTPS, which is that you know you're connected to the real server, is useless when you're downloading Ubuntu packages. The signature verification on packages gives a stronger guarantee than what HTTPS can provide.
With APT, typically what is more important is not that your connection is encrypted, but that the files you are receiving haven't been tampered with.
APT has built-in signature verification to ensure this.
Encryption would prevent eavesdroppers from being able to see what you are downloading, but what you are actually downloading (and requesting) is pretty uncontroversial: it'll be the same as thousands of other Ubuntu users are downloading and the files contain nothing that isn't freely available on lots of servers. Still, if you need privacy about what packages in particular you're downloading, HTTPS can be used (specify it in your sources.list).
The signature verification that is built in to APT will ensure that the files you receive have not been tampered with. It doesn't really matter where the files come from and it's even possible to have proxies or reverse proxies in between you and the server to reduce server load or speed you up. The signature verification still ensures that you are getting the unmodified file, matching the signature that could only be cryptographically produced with the original file and a copy of Ubuntu's private key.
If you switch to HTTPS, then you won't be able to take advantage of proxy servers for speeding up access or reducing load anymore. And it wouldn't add any more assurance about non-tampering that APT's signature verification doesn't already give. It would, however, mean that eavesdroppers (such as your ISP) will not be able to see which packages you're downloading (which is not likely to be confidential, and as Gilles pointed out they could guess from the file size).
I think this question could use an answer with instructions for the layman, so…
APT still does not use HTTPS by default in daily builds of Ubuntu 19.10 (Eoan) (which is still in development). One can verify this by examining the /etc/apt/sources.list file and noting that all of the source URLs utilize the "http:" URL scheme.
To configure it to use HTTPS, one can follow the following instructions:
First, find a trustworthy official Ubuntu archive mirror that supports HTTPS:
For example, I consider the Wikimedia Foundation trustworthy, so I visited the http://mirrors.wikimedia.org/ubuntu/ mirror URL and subsequently changed it to https://mirrors.wikimedia.org/ubuntu/, which successfully resolves.
If you use Firefox (67.0.4) and have the HTTPS Everywhere (2019.6.27) extension installed with the "Encrypt All Sites Eligible" feature enabled (via the toolbar button panel), steps (4) and (5) can be omitted because the extension will automatically modify the URL to utilize HTTPS, allowing one to more immediately determine whether the "https:" version of the URL will resolve.
Two, update your APT sources list:
sudo cp /etc/apt/sources.list /etc/apt/sources.list.backup
to backup your update sources list.sudo sed --in-place --regexp-extended 's http://(us\.archive\.ubuntu\.com|security\.ubuntu\.com) https://mirrors.wikimedia.org g' /etc/apt/sources.list
with the mirror base URL of your preferred mirror and, then, execute the command.Thirdly, you should examine the contents of the /etc/apt/sources.list.d/ directory for "http:" sources that might be changed to "https:" after installing software from outside the Ubuntu archive.
For example, Microsoft's Visual Studio Code package adds a vscode.list file to this directory that specifies an "http:" URL. Simple changing the URL scheme from "http:" to "https:" allows updates over HTTPS.
Consider backing up any such source files before modifying them.
Lastly, perform an update to ensure that updates will work correctly:
sudo apt-get update
command.sudo cp /etc/apt/sources.list.backup /etc/apt/sources.list
command.It's also worth noting that there's an apt-transport-https package to add HTTPS support to APT. However, this package is apparently unnecessary according to the webpage https://launchpad.net/ubuntu/eoan/+package/apt-transport-https and has not been needed since APT 1.5 according to the information shown after executing the command
apt-cache show apt-transport-https
.Recent APT releases have TLS support built in, so you simply need to replace your package-repository mirror URLs with
https
-prefixed ones. For Debian, it could look like this:This is useful, even though APT includes its own signature protocol to ensure packages aren't tampered with, because there can be bugs in APT (as there have been: CVE-2016-1252, CVE-2019-3462). The HTTP/TLS protocols and their ciphers are subject to intense scrutiny, so a severe zero-day vulnerability is much less likely if you add this layer of security.
Apt 1.5 released 2017 supports https out the box. It is no longer necessary to install package apt-transport-https separately.
There are multiple attacks and vulnerabilities against apt with http repositories: