I was looking at the installation instructions for VS Code today and found this step curious:
sudo apt install apt-transport-https
I see that there appears to be https transport available for apt:
$ ls -1 /usr/lib/apt/methods
cdrom
copy
file
ftp
gpgv
http
https
mirror
mirror+copy
mirror+file
mirror+ftp
mirror+http
mirror+https
rred
rsh
ssh
store
This made me curious about why Microsoft would have one install that package so I did some searching and ran across this article from cloud flare which points out that even fairly recent versions of Debian require additional steps to secure apt.
I was quite surprised to see that all of the urls in my sources.list are NOT https. My machine is running Ubuntu 20.04, upgraded from Ubuntu 18.04:
$ grep http /etc/apt/sources.list
# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
deb http://us.archive.ubuntu.com/ubuntu/ focal main restricted
deb http://us.archive.ubuntu.com/ubuntu/ focal-updates main restricted
deb http://us.archive.ubuntu.com/ubuntu/ focal universe
deb http://us.archive.ubuntu.com/ubuntu/ focal-updates universe
deb http://us.archive.ubuntu.com/ubuntu/ focal multiverse
deb http://us.archive.ubuntu.com/ubuntu/ focal-updates multiverse
deb http://us.archive.ubuntu.com/ubuntu/ focal-backports main restricted universe multiverse
# deb http://archive.canonical.com/ubuntu focal partner
# deb-src http://archive.canonical.com/ubuntu focal partner
deb http://security.ubuntu.com/ubuntu focal-security main restricted
deb http://security.ubuntu.com/ubuntu focal-security universe
deb http://security.ubuntu.com/ubuntu focal-security multiverse
This seems less than ideal. It occurs to me that https can be more finicky and any failures might impede critical software updates, but this also seems painfully out of date from a security perspective. On the other hand, the information being transferred is open source software, so there isn't really any risk if someone snoops the packets in transit -- it's not sensitive information, is it?
Still, I'm wondering if there is risk in this. Is the HTTP protocol vulnerable to packet injection in transit? Can anyone lay out what risks there might be in using insecure HTTP traffic for apt?