Monday, 24 April 2017

Kali Linux Repository HTTPS Support

Table of Contents

- https://cdimage.kali.org
- https://http.kali.org

A couple of weeks back we added more HTTPS support to our Kali infrastructure, and wanted to give our users some guidance and point out what’s new. While our Kali Linux download page (and shasums) has always been served via HTTPS, our mirror redirector has not. Now that we generate weekly images, secure access to the mirror redirector has become crucial.

https://cdimage.kali.org

This is our Kali Image Mirror Redirector. This server accepts your download requests from our official download page, and then serves your requested file from the geographically closest mirror. This is also the download point for our Kali Weekly builds - now with fresh and shiny HTTPS support. Hitting this redirector via HTTPS will redirect your request to an SSL enabled download server, while an unencrypted HTTP request will redirect to an HTTP enabled mirror. Where’s the catch? Not all donated mirrors support HTTPS, so choosing this transport may result in slower download speeds. Should downloading a Kali image over HTTP be a security concern? Not if you GPG verify your downloaded image.

https://http.kali.org

As a byproduct of enabling HTTPS on cdimage.kali.org, we now also support apt HTTPS transports. This means that our actual Kali package repositories can support HTTPS - resulting in encrypted Kali updates and upgrades. Surprisingly, this does not add much security to the update / upgrade process (read here if you’re wondering why) - however it *does* add an extra layer of security, so we figured, “why not?”. To enable the apt HTTPS transport, first make sure the apt-transport-https package is installed (it’s installed by default in our weekly images and upcoming releases) and enable the HTTPS transport in your sources.list file as shown below:

root@kali:~# apt install apt-transport-https
root@kali:~# cat /etc/apt/sources.list
deb https://http.kali.org/kali kali-rolling main contrib non-free
# deb-src https://http.kali.org/kali kali-rolling main contrib non-free
root@kali:~#

Now any update or upgrade operation preformed against our mirrors will be HTTPS enabled:

root@kali:~# apt update
Hit:1 https://archive-3.kali.org/kali kali-rolling InRelease
Reading package lists... Done
root@kali:~#

As not all donated mirrors come with HTTPS support, shifting to the HTTPS transport may result in a less optimized mirror being selected for you, resulting in slower download speeds. As moving to an apt HTTPS transport does not provide much extra security, do so only if you feel you must!