|
apt-get via httpS
I'm trying to modify my repository sources list to get everything via httpS after reading about replay attacks. I installed apt-get-https and modified to list to "https". The main repo is working, but security.debian.org isn't working:
Code:
Err:8 https://security.debian.org/debian-security stretch/updates ReleaseFootnote: The reasons I am trying to use apt via httpS: "numerous research papers have shown both APT and YUM repositories to be vulnerable to replay attacks when the repository is accessed via HTTP, even with GPG signatures. Repositories should only be accessed via TLS, 100% of the time." – Joe Damato Oct 21 '16 at 10:00 https://isis.poly.edu/~jcappos/paper...ror_ccs_08.pdf and "There has in fact been multiple exploits of apt (1, 2) that allows arbitrary code execution as root that would have been prevented if https was used instead of http. So https do provide real security benefit because sometimes bugs happen and the more layers of security you have the better." – Niklas Holm 1. https://www.debian.org/security/2016/dsa-3733 2. https://www.debian.org/security/2019/dsa-4371 |
Putting https://security.debian.org/debian-security into Firefox indicates that the subdomain isn't set up (or set up correctly) for https.
Try using: Code:
http://deb.debian.org/debian-security/ |
Yes. Whether or not a url is using https is controlled by the remote site. It’s not something you can force to happen from your end.
I’m curious if you actually needed to change anything. For example, http://linuxquestions.org will be connected to the https url because the site has been configured to redirect all web requests to https That may also be the case for at least some of your repository sources. |
That worked!
http://deb.debian.org/debian-security/ gets forwarded to an https site: https://cdn-aws.deb.debian.org/debian-security/ Thanks!! |
| All times are GMT -5. The time now is 02:07 AM. |