DirtyAngelica
Posts: 33
Joined: Wed Jun 10, 2020 12:52 pm

How to force updates via secure HTTPS connections?

Thu Sep 23, 2021 5:20 pm

Raspberry Pi update ("sudo apt update") files are secured by PGP, but default update system uses plaintext Non-SSL/TLS (HTTP) connections, even though SSL/TLS-secure (HTTPS) versions of the same server exist. How can I make "sudo apt update" use https://archive.raspberrypi.org/ instead of default http://archive.raspberrypi.org/ ?

It is just as important to use secure connections as it is to secure files. My ISP and anyone listening on the wire can see when I update my Raspberry Pi and what files are updated... I can't use a VPN for Raspberry Pi due to circumstances, but I can use DNS-over-HTTPS and HTTPS connections to hide and secure my traffic at least to some degree. DNS-over-HTTPS only does that if both DNS server and the connection to whichever other server use HTTPS.

Again, HTTPS versions of Raspberry Pi update repositories already exist. Why aren't they used as default mirrors for updates?

Is there some way I can force Raspberry Pi to use HTTPS versions of update servers instead of HTTP versions?
- Raspberry Pi 4:
8GB RAM - 32 units (for every residence in my apartment complex because every tenant requested one) with Pi-Hole on each one!

- Server:
Intel Core i3-530
Gigabyte GA-H55M-S2H
Windows Home Server OEM
Crucial DDR3 4GB kit
Antec 500W

User avatar
kerry_s
Posts: 2413
Joined: Thu Jan 30, 2020 7:14 pm

Re: How to force updates via secure HTTPS connections?

Thu Sep 23, 2021 5:39 pm

Code: Select all

sudo apt install apt-transport-https

DirtyAngelica
Posts: 33
Joined: Wed Jun 10, 2020 12:52 pm

Re: How to force updates via secure HTTPS connections?

Fri Sep 24, 2021 6:46 pm

Even after installing that package and rebooting the device, it still connects to HTTP (not HTTPS) when I run "sudo apt update" command...

Code: Select all

Hit:1 http://archive.raspberrypi.org/debian buster InRelease
Hit:2 http://raspbian.raspberrypi.org/raspbian buster InRelease
Last edited by DirtyAngelica on Fri Sep 24, 2021 6:51 pm, edited 1 time in total.
- Raspberry Pi 4:
8GB RAM - 32 units (for every residence in my apartment complex because every tenant requested one) with Pi-Hole on each one!

- Server:
Intel Core i3-530
Gigabyte GA-H55M-S2H
Windows Home Server OEM
Crucial DDR3 4GB kit
Antec 500W

trejan
Posts: 3716
Joined: Tue Jul 02, 2019 2:28 pm

Re: How to force updates via secure HTTPS connections?

Fri Sep 24, 2021 6:49 pm

You need to edit /etc/apt/sources.list and /etc/apt/sources.list.d/raspi.list

You're not going to be able to the hide the fact that you're updating a Raspberry Pi though. It will be obvious from the IP addresses used and SNI.

DirtyAngelica
Posts: 33
Joined: Wed Jun 10, 2020 12:52 pm

Re: How to force updates via secure HTTPS connections?

Fri Sep 24, 2021 7:12 pm

Sweet! That did it! I found functional HTTPS mirrors here - https://www.raspbian.org/RaspbianMirrors/ .

You're right about SNI. Not even encrypted SNI can hide your queries. We need to wait for ECH (Encrypted Hello).

Is it possible to run Raspberry Pi (Pi-Hole/AdGuard) local DNS server to resolve DNS for local clients that do not use VPN, but update Raspberry Pi itself via VPN? I guess it would depend on VPN software and whether it supports Split Tunneling?
- Raspberry Pi 4:
8GB RAM - 32 units (for every residence in my apartment complex because every tenant requested one) with Pi-Hole on each one!

- Server:
Intel Core i3-530
Gigabyte GA-H55M-S2H
Windows Home Server OEM
Crucial DDR3 4GB kit
Antec 500W

Return to “Beginners”