-1

Many distributions have HTTP links in their sources list for packages.

Proof:

Is this to make it easier for NSA, FBI etc to MITM your traffic and insert backdoors? I cannot think of any better reason. We're living in 2018, though the first 2 examples are security distro's using HTTP sources.

Kind of ironic if you ask me.

Critical joe
  • 193
  • 1
  • 2
  • 9
  • Downvoting without leaving a comment, wonderful community :) – Critical joe Apr 07 '18 at 16:48
  • While I wasn't one of them, you possibly got downvoted because the way you phrase your question isn't exactly neutral. Another reason might be that it's an obvious duplicate. – Arminius Apr 07 '18 at 16:59

2 Answers2

5

The packages in Debian-based distributions are cryptographically signed, tampering with them would be very difficult. (In fact, they typically use the same algorithm that is used to authenticate a server over HTTPS.) Sending packages over HTTP has a number of advantages:

  1. Intermediate proxies can cache the packages. (I run a local apt-cacher-ng instance for exactly this reason.)
  2. There is less load on the mirror servers.
  3. There is no need to manage the TLS certificates for the mirrors. (Consider that a single hostname might resolve to multiple mirrors run by different organizations, such as universities, companies, private individuals, the distribution itself.)

There is a lack of confidentiality, but the integrity of the packages should remain so long as OpenPGP is considered secure. Note that even with TLS, it is likely to be trivial to identify the packages you are downloading from a mirror.

You've identified Kali and Parrot as "security distributions", which is a reasonable classification, but it's probably worth noting that they are designed for the use of security tools, not for being a secure platform themselves. You need look no further than Kali's "root by default" policy to see that ease of use of tools has outweighed security of the distribution in their balance. If you're using Kali because you think it gives you a secure desktop, you should reconsider.

David
  • 15,814
  • 3
  • 48
  • 73
  • Great explanation! I agree with you that root by default is indeed a nightmare. Systems like Alpine or Arch Linux are more secure to work on. – Critical joe Apr 07 '18 at 16:46
1

I suppose the reason is to not overload the servers too much. About the posibility of inserting backdoors, etc., the integrity of the files is supposed to be assured becasuse of GPG and its file signing. The only thing a passive observer can do is view the packages you are downloading.

Regards.

bulw4rk
  • 61
  • 4