Louis,
There are a few important points to make in response to what you said ...
1) We're not talking about merely browsing; we're talking about downloading and verifying software that will run on your computer. Without verification information being provided over https, there's absolutely no protection from a man-in-the-middle causing you to download a maliciously compromised version of the software from another server.
2) Apart from locally installed software or configuration (which you are responsible for and implicitly trust on your own computer), the examples of man-in-the-middle possibilities you list are ones that are protected by using https. That is, if I were going to download and verify FreeDOS, I would ensure that the verification checksums were served over https. When I attempted to load the checksums over https, if a captive portal intercepted the request, my browser would inform me that the MiTM doesn't have a matching certificate (unless my browser has been specially configured to trust the certificate of that captive portal, which means either I did it or I'm using some other organization's computer and accept the consequences). Additionally, a gateway cannot inspect or inject content going through https unless the computer initiating the request is specially configured to trust certificates created by that gateway, so if one that hasn't been trusted tries, you get a browser error just the same. DNS forgery would result in the same -- your browser would tell you that the server you're connecting to doesn't have a matching certificate. Proxy content injection -- same story. These are all examples of where user vigilance in ensuring they are getting the verification information over https protects the user from a MiTM attack. On the other hand, your browser and extensions you use could indeed modify the contents of https communcations -- but this is locally installed and configured software that the user has chosen to trust.
The certificate system isn't perfect, but it's considerably better than nothing.
Sent: Sunday, January 15, 2017 at 12:43 AM
From: "Louis Santillan" <lpsan...@gmail.com>
To: "Discussion and general questions about FreeDOS." <freedos-user@lists.sourceforge.net>
Subject: Re: [Freedos-user] verification checksums should be served over https
From: "Louis Santillan" <lpsan...@gmail.com>
To: "Discussion and general questions about FreeDOS." <freedos-user@lists.sourceforge.net>
Subject: Re: [Freedos-user] verification checksums should be served over https
I would not be lured into a false sense of security provided by
browser makers and their insistence that the safest form of browsing
is over HTTPS. You can still be easily MITM'd with captive portals,
gateway content inspection/injection, DNS forgery, via proxy content
injection, your ad blocker or browser extensions profile and probably
another half dozen easily implemented exploits. Heck, your browser
can even become part of the MITM exploit.
I'll intentionally misquote a saying I've heard about rules & law;
"[Encryption standards] aren't made to keep the bad guys out; they're
made to keep the good guys in."
On Sat, Jan 14, 2017 at 11:21 AM, shaclacroi <shaclac...@fastservice.com> wrote:
> The download page links to checksums at
> http://www.freedos.org/download/verify.txt -- but since this page isn't
> available over https, there's no way to confirm the validity of the
> checksums, since the page could be intercepted and modified by a
> man-in-the-middle attacker
> (https://en.wikipedia.org/wiki/Man-in-the-middle_attack).
>
> As free secure https certficates are now offered by Let's Encrypt
> (https://letsencrypt.org/), it may be advisable to get https set up for
> www.freedos.org.
>
> Alternatively, as I see your hosted on Amazon Web Services, if you're using
> Elastic Load Balancing or Amazon CloudFront, Amazon's Certificate Manager
> also offers free https certificates.
>
> Let me know if I can be of any help.
>
> ------------------------------------------------------------------------------
> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today. http://sdm.link/xeonphi
> _______________________________________________
> Freedos-user mailing list
> Freedos-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/freedos-user
>
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Freedos-user mailing list
Freedos-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freedos-user
browser makers and their insistence that the safest form of browsing
is over HTTPS. You can still be easily MITM'd with captive portals,
gateway content inspection/injection, DNS forgery, via proxy content
injection, your ad blocker or browser extensions profile and probably
another half dozen easily implemented exploits. Heck, your browser
can even become part of the MITM exploit.
I'll intentionally misquote a saying I've heard about rules & law;
"[Encryption standards] aren't made to keep the bad guys out; they're
made to keep the good guys in."
On Sat, Jan 14, 2017 at 11:21 AM, shaclacroi <shaclac...@fastservice.com> wrote:
> The download page links to checksums at
> http://www.freedos.org/download/verify.txt -- but since this page isn't
> available over https, there's no way to confirm the validity of the
> checksums, since the page could be intercepted and modified by a
> man-in-the-middle attacker
> (https://en.wikipedia.org/wiki/Man-in-the-middle_attack).
>
> As free secure https certficates are now offered by Let's Encrypt
> (https://letsencrypt.org/), it may be advisable to get https set up for
> www.freedos.org.
>
> Alternatively, as I see your hosted on Amazon Web Services, if you're using
> Elastic Load Balancing or Amazon CloudFront, Amazon's Certificate Manager
> also offers free https certificates.
>
> Let me know if I can be of any help.
>
> ------------------------------------------------------------------------------
> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today. http://sdm.link/xeonphi
> _______________________________________________
> Freedos-user mailing list
> Freedos-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/freedos-user
>
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Freedos-user mailing list
Freedos-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freedos-user
------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi
_______________________________________________ Freedos-user mailing list Freedos-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freedos-user
