Parrot Update over SSL


Recently I updated my OS since my parrot device was sitting around alone for a while. Noticed something.

While most programs were been updated over a (assumably) secure channel (https://url), few were being updated over http, which raised a concern of MITM manipulation attacks. Im not sure if there is any counter-measures like auto checking the hashes/checksum of downloaded (or upgraded) files after update. Or if its just a blank “MITM depends on your luck lol” kinda thing.

Here are few snapshots of the what Im referring to :

Few domains like
mirror(dot)truenetwork(dot)ru and
kartolo(dot)sby(dot)datautama(dot)net(dot)id are shown in the snap that transfers data over http rather than https.

Looking forward to some sort of patch :slight_smile:

This functionality was added in 4.6 release. The release notes goes into some detail on how it works, and should give you confidence that it isn’t a security risk.

In short, apt doesn’t need https as it has its own signature checking mechanism. But updates over https was added as an extra layer of security.


Thats exactly what i was looking for. Thanks! :smiley:

1 Like

apt will verify your packages so you don’t need to worry about MITM so much.
And update via HTTPS is not 100% secure. In black hat USA 2015, there was a talk about inject malware into MS update packages (https).
Some more information.

1 Like