matthew wrote: > [snip] > > There are MD5 and SHA sums in that same directory. However I can only > access those checksums through unencrypted connections. Therefore they > cannot be used to check against 3rd party tampering. (Since someone > who has the ability to tamper with the .iso can also tamper with the > .txt files.)
I don't think you quite get how "HTTPS" works, or rather what "HTTPS" implies. All it means is that the transport channel itself (in this case, HTTP) is secured from someone eavesdropping on the connection (and, by extension, it's not being modified on the fly), and that the server at the other end is what it says it is (i.e. a cert for "https://www.example.com" will cause your browser to error if you get redirected to "https://honeypot.example.com"). It DOES NOT protect you from a malicious party who has "tampered" with the iso image itself, and is presenting that tampered file as the original (the way to verify THAT information is with checksums and digital signatures). For example, let's say you ask for a link to "some_package.deb" (because it's old / unmaintained -- like Adobe Reader -- and you need to use it because some Windows fool sent you something that relies on that package to work). Without a checksum or signature on the file, even if I send you a https link (e.g. "https://example.com/some_package.deb"), you have no assurances that the package is ~really~ the one you're after (as opposed to say, a rootkit). So, the fact that HTTPS doesn't ~actually~ provide you with any security when a "malicious party" has root accesss to the webserver, AND that it adds overhead to the transmission (which, for an install ISO is pretty big already), it's preferable to provide the files in the manner that they have been (i.e. HTTP with detached signatures / checksums). Note too that the checksum information and digital signature source SHOULD be provided in an out-of-band (and secure) manner so as to create a strong web of trust. Given that "debian" is the "well-trusted" party in this instance, their providing of both - their public signing key, AND - the *.iso MD5 and/or SHA checksum(s) on a HTTPS-secured webpage will suffice the conditions of "creating trust" for most people. Further strengthening of this trust can be had by the public PGP key being itself signed by well-known and well-trusted individuals in the community (even if they're only 'marginally' trusted by you, GPG defaults to '3 marginals = okay' for trust purposes -- although you can still verify a signature even without "trusting" the key). > > Am I supposed to be able to use https? If not, how can I download > debian iso files securely? No. As explained, you don't need to "download" them securely, but rather have a secure means to validate the data you get is the data you expect. -- |_|O|_| Registered Linux user #585947 |_|_|O| Github: https://github.com/dpurgert |O|O|O|