Qubes Update Security

Greetings, regarding updates in Qubes, are dom0 updates done over https? I know many distros still update over http so I thought I would ask even though I think they are over https.

Dom0 update security goes far beyond the question of whether it’s done over HTTPS. Please read the following:

yes yes, would mind confirming if it’s over https or not pls ?

I have to emphasize that you’re asking the wrong question. Not only that, but the question assumes an overly-simplistic model of the system. You can check the repo config files yourself in /etc/yum.repos.d/ in dom0. The metalink URLs use HTTPS. Some of the (commented-out) fedora baseurls don’t, but all the Qubes repo baseurls do. You can take a look at https://yum.qubes-os.org/r4.0/current/dom0/fc25/repodata/repomd.xml.metalink (if that’s the one you’re using) and see that all the mirror URLs in the list have “https,” so that probably means that every Qubes package is downloaded over HTTPS from some mirror (and you’d have to do a similar investigation for Fedora for times when the dom0 distro isn’t EOL).

But it doesn’t matter, because many of those mirrors are unvetted and untrusted anyway. Any random volunteer can set up a mirror. In the case of a compromised or malicious mirror, HTTPS simply means that the connection between you and your attacker is secure. This is why it’s a good thing our security model doesn’t require trusting mirrors at all. In fact, we don’t even trust our own infrastructure (more on this). HTTPS is not as important to update security as you think it is. I urge you to read the pages I linked and take them seriously if you really want to understand update security.

Note: I’m not saying HTTPS is not important at all. For certain use cases, it is extremely important (e.g., online banking). Even in the context of OS updates, it’s still valuable for providing some defense-in-depth and maybe some privacy, so I’m in favor of having it as the default. However, many people assume it’s more important than it really is, or – worse yet – that it’s all there is to update security. I’m a big fan of HTTPS, but I prefer to view it objectively as a tool that provides specific security properties under specific conditions, not a magical panacea.

In many ways, this is analogous to the common misconception that simply using a VPN is sufficient for online privacy (ignoring the importance of things like fingerprinting, leaks, user behavior, provider trustworthiness, etc.), which makes it quite easy not to gain any privacy – or even lose privacy – when adding a VPN to your setup.

you made some good points, i will carefully read the links you posted. thanks for the answer.