Wondering why EC2 software updates via APT on Ubuntu are not connecting to 443 / HTTPS endpoints

Shouldn’t this process be using HTTPS which validates that the connection is getting to the correct server?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics | Code.

🔒 Related Stories: Bugs | AWS Security | Secure Code

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

HTTPS does not only encrypt data in transit, it also validates the authenticity of the server to which a process is connecting.

When I run:

sudo apt install nmap

I would expect the procss to connect to an endpoint using port 443 and HTTPS but it is not. It is connecting on port 80 unencrypted to update the software.

I have heard some people claim that there’s an integrity check to see if the software is valid so you don’t need the encrypted connection. If the software is altered in transit on the unencrypted channel then the integrity check will catch that the software is not valid.

What if the method of validating the integrity check gets compromised?