0

I am using an unsecured (no password) Cox hotspot that requires authentication on a web portal.

This is the main internet connection I use and I have been updating my Ubuntu (sudo apt update && sudo apt upgrade) for a while.

Is my system safe?

  • Check this and this on how apt is secured. If you additionally use SSL in /etc/apt/sources.list and other sources (i.e. https over http), there should not be any worries regarding the unsecured network, as security is negotiated between your PC and the server plus the layer of using signed packages and checksums thereof. – FelixJN Jul 11 '22 at 07:20

1 Answers1

4

Even over an unsecured connection, and even using unsecured HTTP connections, your system will only accept packages and repository metadata signed using keys already on your system — that is to say, all the information downloaded by apt is authenticated using information which can’t be intercepted and modified during download, because it’s already on your system.

So your system is safe from tampering during package downloads.

See How is the authenticity of Debian packages guaranteed? (which also applies to Ubuntu) for details.

Do note however that by using an untrusted network, you run the risk of your downloads being monitored, which could allow an adversary to determine which packages are installed on your system. This can be done even with secured HTTP connections over unsecured networks.

Stephen Kitt
  • 434,908
  • Not all distros use signed packages ((( but then people shouldn't be using such, but how will they know? Lastly, have you actually verified Ubuntu rejects unsigned/badly signed packages? I've verified that in Fedora - works beautifully, never seen anyone demonstrate it in Ubuntu. – Artem S. Tashkinov Jul 11 '22 at 07:57
  • I’m answering for Ubuntu, not all distros ;-). And yes, the package manager refuses unsigned or badly-signed repository metadata, and rejects packages which don’t match the repository metadata. – Stephen Kitt Jul 11 '22 at 08:06
  • 1
    Agreeing with what you write (and on a side note able to confirm that this would be true with gentoo's portage too), one could nevertheless highlight that the highest risk with unsecured networks is not that much on the trustability of what you download than on the high probability of what you download leaking. Relating to system updates and, depending on the system, it might be considered a security risk to have the world and his dog knowing precisely the software it is running. – MC68020 Jul 11 '22 at 08:52
  • Please note that (at least) no firmware package could be signed with a debian logo as there is no way to know what is inside those. (The second column in a synaptic list of packages). – QuartzCristal Jul 11 '22 at 09:15
  • @QuartzCristal signatures don’t say anything about what’s inside a package; they serve to prove that packages haven’t been tampered with. – Stephen Kitt Jul 11 '22 at 09:22