vitlab2003
Posts: 1
Joined: Mon Aug 13, 2018 10:03 pm

Why is raspbian.raspberrypi.org non-https?

Mon Aug 13, 2018 10:16 pm

Hi,
does anybody know why is raspbian.raspberrypi.org not available via HTTPS (port closed) but archive.raspberrypi.org is?
I wanted to update my sources.list to https-only to make sure that I'm downloading the right and legit packages but this prevents me to completely do this.

Thanks!

wh7qq
Posts: 1314
Joined: Thu Oct 09, 2014 2:50 am

Re: Why is raspbian.raspberrypi.org non-https?

Sun Aug 19, 2018 2:14 am

I really don't have a specific answer for you but I have never heard of anyone having a problem with this. Out of curiosity, I took a look at my Linux Mint /etc/apt/directories and they are http only as well but there is also a gpg signature file present. As Mint had their main download sites hacked a while ago makes them pretty sensitive to the risk. Being one of the most popular of Linux distros has its downside.

Relative to more popular x86 based distros or windows updates, RPi is a pretty small target for hackers to bother with. That, plus the problem of updated files coming from a wide range of souces probably makes getting https certificates complicated and difficult. It may never happen but they probably also limit write access to those files/directories. You don't need to worry about it much but do check the "Announcements" forum here on a regular basis.

davesteele
Posts: 57
Joined: Wed Nov 30, 2016 4:16 pm

Re: Why is raspbian.raspberrypi.org non-https?

Sun Aug 19, 2018 4:01 pm

Note that, while the protocol is not secure, there is a chain of cryptographic signatures for the index files and deb file contents, tied back to an encryption key on your computer. These are verified by apt*. You should not need to worry about non-Raspbian files getting installed.

Take a look in some of the files under http://raspbian.raspberrypi.org/raspbian/dists/.

Return to “Raspbian”