The Debian-based Linux distribution’s package manager, Advanced Package Tool (APT), does not ensure privacy out of the box. While other UNIX package managers use SSL/TLS, APT does not—leaving your privacy in the balance. With privacy concerns rapidly growing due to new discoveries of various government spying scandals, brand new laptops installed with “bloatware,” and targeted ads embedded within social media outlets, one would think that people would be more concerned with privacy. This blog post will demonstrate how requests made via APT are sent over the network by default, and it will provide steps to enable secure communications when using APT.
In its current state, APT does not communicate over a secure channel, such as SSL or TLS. Although there is an integrity mechanism in place, GNU Privacy Guard1 (GPG), anyone could see requests that are made to repositories to download software packages. GPG verifies the downloaded package’s integrity via the package’s digital signature. This ensures that the package has not been tampered with via a man-in-the-middle attack while in transit, but does not take into account the requests made to and responses from the server. All requests made to a repository (repo) via APT will be sent in plaintext over the network. This gives anyone with a favorable position on the network a chance to eavesdrop on the communication to said repo(s). Figure 1 shows requests made to, and corresponding responses received from, the default Ubuntu repository. The network traffic shown was captured using Wireshark when executing the sudo apt-get update command.
GET /ubuntu/dists/vivid/Release.gpg HTTP/1.1 Host: us.archive.ubuntu.com Cache-Control: max-age=0 If-Modified-Since: Fri, 24 Apr 2015 18:46:59 GMT User-Agent: Debian APT-HTTP/1.3 (1.0.9.7ubuntu4) HTTP/1.1 304 Not Modified Date: Wed, 19 Aug 2015 01:36:38 GMT Server: Apache/2.4.7 (Ubuntu) ETag: "3a5-5147cd238eec0" Expires: Wed, 19 Aug 2015 01:36:38 GMT Cache-Control: max-age=0, proxy-revalidate GET /ubuntu/dists/vivid-updates/Release.gpg HTTP/1.1 Host: us.archive.ubuntu.com Cache-Control: max-age=0 If-Modified-Since: Wed, 19 Aug 2015 01:21:00 GMT User-Agent: Debian APT-HTTP/1.3 (1.0.9.7ubuntu4) HTTP/1.1 304 Not Modified Date: Wed, 19 Aug 2015 01:36:39 GMT Server: Apache/2.4.7 (Ubuntu) ETag: "3a5-51d9fd8ed7700" Expires: Wed, 19 Aug 2015 01:51:00 GMT Cache-Control: max-age=860, proxy-revalidate
Enabling HTTPS for APT
For this blog, I will be using the https://lug.mtu.edu/ubuntu/dists/vivid/ mirror, which is an official repository for Ubuntu source packages. More official Ubuntu repositories can be found on the Launchpad website.
As shown above, when the command sudo apt-get update is used with the default repositories, communication between the client and server via HTTP is in plaintext. By installing the apt-transport-https package and modification of the source.list file within /etc/apt/ (with an HTTPS enabled repo), all communication between the server and client will be through a secure channel.
To demonstrate that the use of HTTPS is not utilized or supported out of the box on Debian distributions, an HTTPS- enabled repo will be added to the source list, then an attempt to use the sudo apt-get update command will be carried out.
First, a repository that accepts communication via HTTPS on port 443 must be discovered. This can be done by selecting a repo’s URL, replacing http with https, and entering the new URL within a browser. If the web page successfully loads, the repo can accept requests via HTTPS.
APT’s source list file needs to be appended with the new repository to make use of a secure communication channel. Once the configuration file is opened using a text editor such at Vim, take note of the default repo URL’s within the file; the new repo entries must adhere to the same format as the default ones. More information on how to add repositories can be found on the Ubuntu website. Listed below are example entries added to the source.list file:
deb https://lug.mtu.edu/ubuntu/ vivid main restricted
deb-src https://lug.mtu.edu/ubuntu/ vivid main restricted
deb https://lug.mtu.edu/ubuntu/ vivid-updates main restricted
deb-src https://lug.mtu.edu/ubuntu/ vivid-updates main restricted
After the new is repository has been added to the source list file, an attempt to execute sudo apt-get update within a terminal should result in errors like the ones in Figure 2:
/etc/apt$ sudo apt-get update
E: The method driver /usr/lib/apt/methods/https could not be found.
N: Is the package apt-transport-https installed?
E: The method driver /usr/lib/apt/methods/https could not be found.
N: Is the package apt-transport-https installed?
Figure 2. Errors received when a HTTPS repository added without apt-transport-https installed.
The errors above denote that the package apt-transport-https is not installed by default and is required to use SSL/TLS communication methods.
The following steps could be carried out to install apt-transport-https:
Open a terminal within a Debian based Linux distribution
Enter sudo apt-get apt-transport-https. (Enter root password when prompted)
Once apt-transportation-https is installed, execution of the sudo apt-get update command should not return any errors and should display GET requests that are made to the new repository via HTTPS as shown in Figure 3.
Get:10 https://lug.mtu.edu vivid-updates Release
Get:11 https://lug.mtu.edu vivid-backports Release
Get:12 https://lug.mtu.edu vivid-security Release
Get:13 https://lug.mtu.edu vivid/main Sources
Figure 3. Successful HTTPS GET requests made to the new repo.
After apt-transport-https is installed, comment out the original repository entries with a ‘#’ symbol at the beginning of each entry within the source.list file. If the appended repository is entered correctly, once the file is saved, the sudo apt-get update command should run successfully. Figure 4 shows a sample output of the HTTPS TCP stream captured by Wireshark.
...........U.... ...v>....g.{&....n.>}%.N.K..z.+.,.......#.
.$.r.s.../.0.......'...(.v.w.......z.{./.<.5.=.A.......
.....|.}.3.g.9.k.E.................2.@.8.j.D...........\..................lug.mtu.edu......#...
...
.................
..................................A...=..U.....a...@...kF...........?
AW.../.................#....................J0..F0.................Tr.......d0
..*.H..
.....0..1.0...U....GB1.0...U....Greater Manchester1.0...U....Salford1.0...U.
..COMODO CA Limited1604..U...-COMODO RSA Domain Validation Secure Server CA0..
150201000000Z.
200131235959Z0O1!0...U....Domain Control
Validated1.0...U....PositiveSSL1.0...U....lug.mtu.edu0.."0
..*.H..
..........0..
.......r..y.65....\V5.
.......Z..|L`:&..Z..3.....pm.t7.>W.`tC.n}-
hFY.6.H5...)...Y3...oDn..y....a..%<...g..T..uE.D.[.#.$...l....9..........0...0...U.#..0.....j:.Z....
.Vs.C.:(..0...U......l|..'.q.9.......5R..0...U...........0...U.......0.0...U.%..0...+....
.....+.......0O..U.
.H0F0:..+.....1....0+0)..+.........https://secure.comodo.com/CPS0...g.....0T..U...M0K0I.G
.E.Chttp://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl0....+........y0w0
O..+.....0..Chttp://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt0$..+....
.0...http://ocsp.comodoca.com0'..U... 0...lug.mtu.edu..www.lug.mtu.edu0
Figure 4. HTTPS TCP stream captured via Wireshark.
While there are advantages and disadvantages of enabling the use of SSL/TLS for downloading packages from repositories, the process is simple and straightforward. Enabling communication via an HTTPS channel could slightly impact the performance of APT, but one must decide if privacy is worth the impact.
Additional Information
Readers interested in further details about this topic can reach us at: contact@www.ise.io