With regards to CVE-2019-3462, my organization agrees with the statement made on NSA QUANTUM: https://twitter.com/TRONDELTA/status/1087810526539931649
On behalf of my intelligence organization, I think it would be much better, if Canonical servers would require TLS >= 1.2 encryption (HSTS and ECDHE preferred) and thus identify themselves properly, so machines/users would be able make sure who they are talking/connecting to. We think that would definitely make MITM and MOTS attacks more difficult. Personally, I'm aware of the existing signature scheme, i.e. present package security. Nonetheless, it does not seem to address the problem of transport security; especially the lack of identification. Therefore, I simply consider the assertions of whydoesaptnotusehttps.com as wrong. There is also a research paper named "A Look In the Mirror: Attacks on Package Managers" (https://isis.poly.edu/~jcappos/papers/cappos_mirror_ccs_08.pdf), which showed that both APT and YUM repositories are vulnerable to replay attacks, in case the repository is accessed via HTTP (even with valid GPG signatures used). In addition to that, Launchpad bug https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1647467 showed, that transport security sometimes may reduce the impact of known vulnerabilities and exposures. Given the present state of things, I agree, on behalf of the members of my organization, that TLS should be optional, at least for a transitional period of LTS (5) years. We strongly recommend the decision makers at Canonical to act professionally on this and make a change soon. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1464064 Title: Ubuntu apt repos are not available via HTTPS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1464064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
