Received: from out1.migadu.com (out1.migadu.com [91.121.223.63])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 2CD03781F06
	for <~alpine/users@lists.alpinelinux.org>; Mon, 11 May 2020 02:47:54 +0000 (UTC)
X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers.
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dereferenced.org;
	s=default; t=1589165273;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=Qi3aqf4K7CmTAu7ThiUXAPJ8gUZbgQ9CrdsxSdb+gv4=;
	b=rKftqkd0NSO0iVFQ3i/Ijfg3ZHhVl8oBrFkeRYZxcEdowef1qZgifH3sQcHEzfbRq2Hsd/
	vtr+vxLh3FgtUAtHDnS6uYmR5Xg5H0DLd/yQUIscoAkDsSb0MbnEm4VGPSd1bp7nC5MDkv
	U6ZVXeIReJIN+CKxKIVuQo0HfwuqXdg=
From: Ariadne Conill <ariadne@dereferenced.org>
To: ~alpine/users@lists.alpinelinux.org
Subject: Re: Are the repos/apk using http or https?
Date: Sun, 10 May 2020 20:47:48 -0600
Message-ID: <1770621.52O7J0OIYB@localhost>
In-Reply-To: <CAESemU-1n6zA4WqB6ChebPyEKCtPpwTJDBU3hT-Au7urp+dxig@mail.gmail.com>
References: <CAESemU-1n6zA4WqB6ChebPyEKCtPpwTJDBU3hT-Au7urp+dxig@mail.gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 1.40

Hello,

On Saturday, May 9, 2020 2:32:41 PM MDT Joe Duarte wrote:
> Hi all =E2=80=93 I was thrown off by the URLs in the mirror list. They're=
 all
> insecure / http. Is Alpine literally making unencrypted http requests, or
> are they automatically upgraded to https by apk?
>=20
> The website for the kernel.org repos are https, like
> https://mirrors.edge.kernel.org/alpine/latest-stable/, but the URLs I see
> in Alpine are just http.
>=20
> Since we're talking about code running with all kinds of privileges, it
> would be a huge problem if downloaded code wasn't coming in over a secure
> connection.

APK packages are secured with a signature-based chain of trust, and as long=
 as=20
that chain of trust is not compromised, it does not matter if the connectio=
n=20
itself is secure or not.

There is, incidentally, no knowledge of any compromise of our trust chain a=
t=20
this time, and if there were, using HTTPS to deliver the packages would not=
=20
change anything, as the compromised packages would still have valid=20
signatures.

The primary concern of using a non-HTTPS channel is one of information=20
leakage; an attacker can learn based on observing your update traffic what=
=20
packages are installed on a target system.  If that is a concern to you, th=
en=20
many mirrors are HTTPS-enabled, perhaps it makes sense to provide a list of=
=20
HTTPS mirrors along side the HTTP mirror list.

Ariadne