** Changed in: ubuntu
Status: Expired => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1186793
Title:
Updating is over insecure connection
To manage notifications about this bug
Any thoughts on
https://blog.packagecloud.io/eng/2018/02/21/attacks-against-secure-apt-repositories/
?
Seems like there are a few good reasons to using TLS, wdyt?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
> How do gpg signatures and SHA512 sums help with other people in the
open WLAN or between I and the mirror being able to see what exactly I
download or update?
HTTPS wouldn't protect you either. The sizes and dependency trees of
individual packages are well-known. If I could see your HTTPS apt
[Expired for Ubuntu because there has been no activity for 60 days.]
** Changed in: ubuntu
Status: Incomplete => Expired
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1186793
Title:
Please let me know if you have further concerns.
** Changed in: ubuntu
Status: Confirmed => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1186793
Title:
Updating is over insecure
We do not provide a default way to receive updates in a private manner.
However, one can arrange private methods of doing so. Create an ubuntu
mirror via an out-of-bound connection and point your machines there,
thus not exposing update traffic to a monitored connection.
After establishing an
= Updates =
Ubuntu downloads updates over http by default, however that is not
insecure. This is because all those updates are validated with GPG
against the keys that are already on the system in the ubuntu-keyring
package.
The signatures on our updates are strong, bashed on SHA512 checksums at
How do gpg signatures and SHA512 sums help with other people in the open
WLAN or between I and the mirror being able to see what exactly I
download or update?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
This requires more than just switching to HTTPS. The updates UI will
also need to explain HTTPS failures in such a way that users don't seek
insecure workarounds.
Windows updates are being subjected to MITM patches. Windows Update
correctly fails to install them, but gives a vague error code.
Fixing this might depend on bug 1185159 and/or bug 1209292.
** Description changed:
Relying on signatures is silly. It gives attackers much more control
over a situation, and we already know that this *doesn't work* when weak
signatures like MD5 are used (see Flame hash collision). Is the
** This bug is no longer a duplicate of bug 247445
Package managers vulnerable to replay and endless data attacks
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1186793
Title:
Updating is over
*** This bug is a duplicate of bug 247445 ***
https://bugs.launchpad.net/bugs/247445
** This bug has been marked a duplicate of bug 247445
Package managers vulnerable to replay and endless data attacks
--
You received this bug notification because you are a member of Ubuntu
Bugs, which
*** This bug is a duplicate of bug 247445 ***
https://bugs.launchpad.net/bugs/247445
The linked bug is not a duplicate of this one. That bug was for the
replay and endless data attacks posed in the Stork work. This bug is
that the repositories are not served over HTTPS, which is another issue
*** This bug is a duplicate of bug 247445 ***
https://bugs.launchpad.net/bugs/247445
Like Chris Thompson said, completely different bug report. Not a
duplicate.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: ubuntu
Status: New = Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1186793
Title:
Updating is
Thank you for taking the time to report this bug and helping to make
Ubuntu better. It seems that your bug report is not filed about a
specific source package though, rather it is just filed against Ubuntu
in general. It is important that bug reports be filed about source
packages so that people
I tried assigning ia32-apt-get but it says it isn't a package in Ubuntu.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1186793
Title:
Updating is over insecure connection
To manage notifications
17 matches
Mail list logo
