Parrot Update over SSL

Bonjour!

Recently I updated my OS since my parrot device was sitting around alone for a while. Noticed something.

While most programs were been updated over a (assumably) secure channel (https://url), few were being updated over http, which raised a concern of MITM manipulation attacks. Im not sure if there is any counter-measures like auto checking the hashes/checksum of downloaded (or upgraded) files after update. Or if its just a blank “MITM depends on your luck lol” kinda thing.

Here are few snapshots of the what Im referring to :

Few domains like
mirror(dot)truenetwork(dot)ru and
kartolo(dot)sby(dot)datautama(dot)net(dot)id are shown in the snap that transfers data over http rather than https.

Looking forward to some sort of patch :slight_smile:

This functionality was added in 4.6 release. The release notes goes into some detail on how it works, and should give you confidence that it isn’t a security risk.

In short, apt doesn’t need https as it has its own signature checking mechanism. But updates over https was added as an extra layer of security.

https://blog.parrotlinux.org/parrot-4-6-release-notes/#apt-now-enforces-https

2 Likes

Thats exactly what i was looking for. Thanks! :smiley:

1 Like

apt will verify your packages so you don’t need to worry about MITM so much.
And update via HTTPS is not 100% secure. In black hat USA 2015, there was a talk about inject malware into MS update packages (https).
Some more information.

1 Like