I'm trying to modify my repository sources list to get everything via httpS after reading about replay attacks. I installed apt-get-https and modified to list to "https". The main repo is working, but security.debian.org isn't working:
Code:
Err:8 https://security.debian.org/debian-security stretch/updates Release
server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Reading package lists... Done
E: The repository 'https://security.debian.org/debian-security stretch/updates Release' does no longer have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
I'm assuming I just don't understand something about how repos work or specifically how the security repo works.
Footnote: The reasons I am trying to use apt via httpS:
"numerous research papers have shown both APT and YUM repositories to be vulnerable to replay attacks when the repository is accessed via HTTP, even with GPG signatures. Repositories should only be accessed via TLS, 100% of the time." – Joe Damato Oct 21 '16 at 10:00
https://isis.poly.edu/~jcappos/paper...ror_ccs_08.pdf
and
"There has in fact been multiple exploits of apt (1, 2) that allows arbitrary code execution as root that would have been prevented if https was used instead of http. So https do provide real security benefit because sometimes bugs happen and the more layers of security you have the better." – Niklas Holm
1.
https://www.debian.org/security/2016/dsa-3733
2.
https://www.debian.org/security/2019/dsa-4371
