# Debian 10 apt HTTPS upgrade

> Upgrading package downloads from HTTP to HTTPS can help with meeting standards such as PCI DSS and NIST SP 800-53. Use of secure transport can also mitigate against future zero-day, remote code vulnerabilities with package managers themselves, such as [CVE-2019-3462](https://security-tracker.debian.org/tracker/CVE-2019-3462), [CVE-2016-1252](https://security-tracker.debian.org/tracker/CVE-2016-1252) and [CVE-2014-6273](https://security-tracker.debian.org/tracker/CVE-2014-6273) in the past.

Upgrading package downloads from HTTP to HTTPS can help with meeting standards such as PCI DSS and NIST SP 800-53. Use of secure transport can also mitigate against future zero-day, remote code vulnerabilities with package managers themselves, such as [CVE-2019-3462](https://security-tracker.debian.org/tracker/CVE-2019-3462), [CVE-2016-1252](https://security-tracker.debian.org/tracker/CVE-2016-1252) and [CVE-2014-6273](https://security-tracker.debian.org/tracker/CVE-2014-6273) in the past.

This short guide aims to help in upgrading the default repositories' URLs from plaintext to encrypted.

## Virtual Machine

The commands simply change the URL scheme from `http` to `https`, making a backup file (with extension _.orig_) in the process.

### AWS User Data

```bash
#!/bin/bash -ex
sed --in-place=.orig --regexp-extended 's%http://(cdn-aws.)*(deb|security).debian.org%https://\2.debian.org%g' /etc/apt/sources.list
```

### GCP Startup Script

```bash
#!/bin/bash -ex
sed --in-place=.orig --regexp-extended 's%http://(deb|security).debian.org%https://\1.debian.org%g' /etc/apt/sources.list
sed --in-place=.orig --regexp-extended 's%http://packages.cloud.google.com%https://packages.cloud.google.com%g' /etc/apt/sources.list.d/*.list
```

## Container

### Dockerfile

```Dockerfile
FROM debian:10-slim

RUN echo 'Acquire::https::Verify-Peer "false";' > /etc/apt/apt.conf.d/99_tmp_ssl-verify-off.conf && \
    sed --in-place=.orig --regexp-extended 's%http://(deb|security).debian.org%https://\1.debian.org%g' /etc/apt/sources.list && \
    apt-get update && \
    apt-get install --assume-yes ca-certificates && \
    rm /etc/apt/apt.conf.d/99_tmp_ssl-verify-off.conf
```

These commands first turn off SSL certificate verification because (a) the container build process may be behind [DiscrimiNAT](/discriminat/) already and (b) the CA certificates bundle needs to be downloaded for the verification process to work. [DiscrimiNAT](/discriminat/) independently verifies each connection and will ensure _apt_ connected to the CDN specified in spite of not verifying the certificate. The configuration that turned the verification off is removed after the bundle is installed.

## Allowlist

### FQDNs

```
deb.debian.org,security.debian.org,packages.cloud.google.com
```

### DiscrimiNAT Annotation

```
discriminat:tls:deb.debian.org,security.debian.org,packages.cloud.google.com
```