Ubuntu OS Updates with Security and Privacy

2016 April 26

Updated in 2021

Never Forget DSA-3733, aka Validating signatures > MitM > RCE

The Debian developer community refused to implement transport crypto for updates because “signing packages is secure enough”. Utter bullshit.

This is a quick guide on how to dramatically improve the privacy and security of your Ubuntu web server. It requires the installation of “apt-transport-tor”, an application that will allow APT transfers to occur over Tor. There is also an application called “apt-transport-https” that is already installed in Ubuntu that we’ll use.

The Wikimedia Ubuntu repo has a good TLS configuration, and they don't block Tor.

On your server, first install Tor.

Then perform the following:

sudo apt update && sudo apt dist-upgrade -y && sudo apt install apt-transport-tor

sudo vim /etc/apt/sources.list

Edit “sources.list” to just use only “deb”. “deb-src” is only needed if you build from source which most people do not. You can safely delete the deb-src lines from the file. Replace all of the default Ubuntu repos with Wikimedia’s and be sure to add “tor+” before the “https”. Doing so adds end-to-end encryption via HTTPS, and it becomes Torified meaning network adversaries will have a more difficult time analyzing what software and what versions of said software are installed on your web server.

deb tor+https://mirrors.wikimedia.org/ubuntu/ focal main restricted universe multiverse
deb tor+https://mirrors.wikimedia.org/ubuntu/ focal-updates main restricted universe multiverse
deb tor+https://mirrors.wikimedia.org/ubuntu/ focal-backports main restricted universe multiverse
deb tor+https://mirrors.wikimedia.org/ubuntu/ focal-security main restricted universe multiverse
deb tor+https://deb.torproject.org/torproject.org focal main

All your future apt update and dist-upgrade commands will now be performed over Tor and using high-grade HTTPS.

yawnbox