http://bugzilla.opensuse.org/show_bug.cgi?id=1110245 Bug ID: 1110245 Summary: Connection to online repositories should be HTTPS Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.3 Hardware: All OS: All Status: NEW Severity: Enhancement Priority: P5 - None Component: YaST2 Assignee: yast2-maintainers@suse.de Reporter: digitalmon@rambler.ru QA Contact: jsrain@suse.com Found By: --- Blocker: --- Although the online repository servers support HTTPS connection, downloading of packets still occurs via the HTTP protocol. This compromises the security of users. If their connection to the Internet is intercepted, if they work through any proxy server, the attackers can modify the packages on the fly during the download. To install malware and spyware into target system. At the moment, you can only manually change the URLs of the repositories to https so that the packets are downloaded over a secure channel. I want that by default in the operating system the connection to the online-repositories, the downloading of packets, should be with HTTPS connection. This will make users' safety a step higher. I'm sure there will be less glitches, bugs in user systems. But Https is not a panacea. She is also vulnerable to the attack of MITM. The private surveilance service known to me, generates its own RSA-keys to encrypt the HTTPS, brute-force for them a digital signature so that the browser of user does not suspect forgery. The attacker's computer connects to the remote server by https, downloads packages, replaces executable files, infects them with a virus, and the user gives https traffic with his encryption key and a digital signature. But such an attack is not for everyone. To make it more difficult, you need to use long encryption keys and digital signatures on the repository servers. RSA4096 at least. I know that even LTE-connection to the Internet can be intercepted with using of special technical means and OpenLTE, so I do not trust to LTE. LTE-connection can work without encryption, and 3G connection seems to be always encrypted. A wired connection to the Internet, to intercept - generally easy. As PPPoe, as DHCP (DHCP is without authorization and verification of provider access point). The 3G modem with a good antenna has the same speed as the LTE. -- You are receiving this mail because: You are on the CC list for the bug.