There are a few important points to make in response to what you said ...
1) We're not talking about merely browsing; we're talking about downloading and verifying software that will run on your computer. Without verification information being provided over https, there's absolutely no protection from a man-in-the-middle causing you to download a maliciously compromised version of the software from another server.
2) Apart from locally installed software or configuration (which you are responsible for and implicitly trust on your own computer), the examples of man-in-the-middle possibilities you list are ones that are protected by using https. That is, if I were going to download and verify FreeDOS, I would ensure that the verification checksums were served over https. When I attempted to load the checksums over https, if a captive portal intercepted the request, my browser would inform me that the MiTM doesn't have a matching certificate (unless my browser has been specially configured to trust the certificate of that captive portal, which means either I did it or I'm using some other organization's computer and accept the consequences). Additionally, a gateway cannot inspect or inject content going through https unless the computer initiating the request is specially configured to trust certificates created by that gateway, so if one that hasn't been trusted tries, you get a browser error just the same. DNS forgery would result in the same -- your browser would tell you that the server you're connecting to doesn't have a matching certificate. Proxy content injection -- same story. These are all examples of where user vigilance in ensuring they are getting the verification information over https protects the user from a MiTM attack. On the other hand, your browser and extensions you use could indeed modify the contents of https communcations -- but this is locally installed and configured software that the user has chosen to trust.
The certificate system isn't perfect, but it's considerably better than nothing.
------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi
_______________________________________________ Freedos-user mailing list Freedosfirstname.lastname@example.org https://lists.sourceforge.net/lists/listinfo/freedos-user