Received: from out1.migadu.com (out1.migadu.com [91.121.223.63])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 029D5782AF4
	for <~alpine/users@lists.alpinelinux.org>; Mon, 11 May 2020 03:04:20 +0000 (UTC)
X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers.
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dereferenced.org;
	s=default; t=1589166259;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=A9P1UEGgsM7aegX2PqsxFPEPC2zW166Y7sHxBG/qSjQ=;
	b=BJm/pMs9TyVA7aOou43vDA+ehgkVhRjIbafCt339HWKjI5pWb4H/izL5sKuaURU0X+cd7C
	o0e+gy5rC2s+I4AivVD34H3TgmKDeGbT3MDKlrM7JeWsQjL/A/EFb0Z0GWTvzJ6MWO7lSi
	FdWGbuzyepBEOs3fPfEwS+k0l2/mhPs=
From: Ariadne Conill <ariadne@dereferenced.org>
To: ~alpine/users@lists.alpinelinux.org
Subject: Re: Are the repos/apk using http or https?
Date: Sun, 10 May 2020 21:04:15 -0600
Message-ID: <3414617.y9zrWrDLY7@localhost>
In-Reply-To: <20200510161718.2b9d3b8985314c73486c1d17@gmail.com>
References: <CAESemU-1n6zA4WqB6ChebPyEKCtPpwTJDBU3hT-Au7urp+dxig@mail.gmail.com> <20200510161718.2b9d3b8985314c73486c1d17@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
X-Spam-Score: 1.90

Hello,

On Sunday, May 10, 2020 7:17:18 AM MDT Konstantin Kulikov wrote:
> > Is Alpine literally making unencrypted http requests?
> 
> Yes. You need to manually update /etc/apk/repositories file to https urls.
> There is no immediate problem, because packages are signed and verified on
> install, but you're right https should be used by default.
> 
> Please file an issue at
> https://gitlab.alpinelinux.org/alpine/aports/-/issues so it's not
> forgotten.

Traditionally, we haven't seen this to be a huge problem because the update 
channel itself is secured against tampering.  The worst that could be done 
over an HTTP channel is suppression of future updates, but in practice, the 
more value an HTTP channel has to an attacker is intelligence gathering (e.g. 
these packages have been downloaded by the host).

I think, however, in 2020 it is probably a good idea to prefer https over http 
mirrors.  A good solution would be to have two lists, and ask users if they 
wish to use an http or https update channel.

Ariadne