Use HTTPS repositories in Kali Linux

Since last year 2017, Kali Linux now support HTTPS transport in their repositories, but since we're using mirrors, not all mirrors do support HTTPS transport. Thus it MAY affects the download speed the reason that, you may be redirected to a mirrors that far from you and less optimized server will be served to you.

As it says in Kali blog:

As moving to an apt HTTPS transport does not provide much extra security, do so only if you feel you must!

This because the APT verifies the signature of the packages before sending to you and if an atacker modifies the files you're downloading, this will be noticed by checksum mismatch or something.

A quote from askubuntu page:

Using a signature verification is better than using an HTTPS connection, because it'll detect an attack on the server you're downloading from, not just an attack in transit.

Use apt-get with HTTPS

To use apt-get with HTTPS, you can do so by specify https:// URLs in /etc/apt/sources.list and /etc/apt/sources.list.d/*, then APT will use HTTPS.

# The Official Kali Rolling Repository
deb https://http.kali.org/kali kali-rolling main contrib non-free

# For source package access, uncomment the following line
#deb-src https://http.kali.org/kali kali-rolling main contrib non-free

Then, run apt-get update to update your local repositories with https.

Why use HTTPS in APT transport?

Some programs can mess up this apt traffic, or viewing what package you download, etc.

Since Kali provide HTTPS in apt transport, why not use it? The apt itself without HTTPS does have a data tamper protection by built-in signature verification. However, the connection itself is not encrypted.

Encryption in transport would prevent eavesdroppers (such as your ISP) from being able to see what you are downloading. If you need privacy about what particular packages you're downloading, HTTPS is a must.

Hazmirul Afiq

Read more posts by this author.