Comment 31 for bug 1464064

Ubuntu's reliance solely on PGP signatures for package and .iso download security puts the community at risk.

There have been several APT vulnerabilities in the past few years that create remote code execution vulnerabilities for Ubuntu systems. It's irresponsible not to give system operators any option to protect against these vulnerabilities.

Every LTS release since 10.04 has been affected by at least one RCE vulnerability in APT that would have been mitigated by HTTPS mirrors.

https://usn.ubuntu.com/3863-1/ CVE-2019-3462
https://usn.ubuntu.com/3156-1/ CVE-2016-1252
https://usn.ubuntu.com/2353-1/ CVE-2014-6273
https://usn.ubuntu.com/2348-1/ CVE-2014-0487, CVE-2014-0488, CVE-2014-0489, CVE-2014-0490
https://usn.ubuntu.com/2246-1/ CVE-2014-0478
https://usn.ubuntu.com/1762-1/ CVE-2013-1051

Vulnerabilities like these are severe because they make it difficult if not impossible to securely bootstrap an Ubuntu system from an official release CD image.

It's especially egregious that security.ubuntu.com is not available over TLS, since many systems continue to refer to http://security.ubuntu.com even when they use a separate primary mirror that supports HTTPS.

Besides preventing remote code execution, HTTPS would also improve confidentiality.

Because Launchpad PPAs are only available over insecure HTTP, anyone using a PPA that belongs to them will disclose their identity over the network whenever apt update is run, which can be as often as multiple times daily.

It's particularly inexcusable that ppa.launchpad.net doesn't deliver packages over HTTPS because even though it does have a valid HTTPS certificate, it responds with a 404 Not Found instead of returning PPA content. [1]

There are many areas of the Internet community where the consensus has changed from HTTP as the default to secure HTTPS as the default. U.S. Government policy now requires HTTPS for all U.S. federal websites and web services, drawing no distinction between browser and non-browser use cases. [2] The W3C now recommends that the web platform should actively prefer HTTPS. [3] The IAB recommends that all new protocols use encryption for confidentiality. [4] Google Chrome has moved over the past few years to treat HTTPS as the default, explicitly marking plaintext HTTP connections as non-secure via a warning icon rather than a neutral presentation. [5] The IETF declared in RFC 7258 that pervasive monitoring is an attack that the Internet community should address through encryption and other means. [6]

It's long past time for Ubuntu to follow suit.

[1] e.g. https://ppa.launchpad.net/kubuntu-ci/stable/ubuntu/dists/bionic/Release returns 404, but works over insecure HTTP
[2] https://https.cio.gov/
[3] https://www.w3.org/2001/tag/doc/web-https
[4] https://www.iab.org/2014/11/14/iab-statement-on-internet-confidentiality/
[5] https://www.blog.google/products/chrome/milestone-chrome-security-marking-http-not-secure/
[6] https://tools.ietf.org/html/rfc7258