Centos – Why are CentOS mirrors HTTP and not HTTPS

centoshttphttpsSecurity

As far as I know, HTTP is prone to man-in-the-middle attacks. As such, the repositories in Alpine Linux or the CentOS Mirrors are not HTTPS.

In the olden days, having HTTPS used to be an expensive matter. It cost server CPU time and the certificates weren't free. But it’s 2022 now, and we have plenty of ways to overcome those problems and security has been top priority than ever!

How can we obtain binaries smarter?

Also is this a problem in the wider Linux community? I.e., Ubuntu, Linux Mint, openSUSE, etc.?

Best Answer

The packages are indeed signed, hence a manipulation would be noticed.

Also the packages are not secret, so there isn't any need to encrypt them on the transfer.

With the mass of downloads from mirrors, this probably saves them a lot of resources.

It is the same on Debian and Ubuntu.

Correct way in new versions of nginx

Turn out my first answer to this question was correct at certain time, but it turned into another pitfall - to stay up to date please check Taxing rewrite pitfalls

I have been corrected by many SE users, so the credit goes to them, but more importantly, here is the correct code:

server {
       listen         80;
       server_name    my.domain.com;
       return         301 https://$server_name$request_uri;
}

server {
       listen         443 ssl;
       server_name    my.domain.com;
       # add Strict-Transport-Security to prevent man in the middle attacks
       add_header Strict-Transport-Security "max-age=31536000" always; 

       [....]
}

Best Answer

Related Solutions

nginx HTTPS – How to Serve HTTPS with Same Config as HTTP

NGINX Redirect – How to Rewrite All HTTP Requests to HTTPS While Maintaining Sub-Domain

Correct way in new versions of nginx

Related Topic