From: shaclacroi <shaclac...@fastservice.com>

--===============4246186708895111201==
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<html><head></head><body><div style="font-family: Verdana;font-size:
12.0px;"><div>
<div>Louis,</div>

<div>&nbsp;</div>

<div>There are a few important points to make in response to what you said
....</div>

<div>&nbsp;</div>

<div>1) We&#39;re not talking about merely browsing; we&#39;re talking about
downloading and verifying software that will run on your computer. Without
verification information being provided over https, there&#39;s absolutely no
protection from a man-in-the-middle causing you to download a maliciously
compromised version of the software from another server.</div>

<div>&nbsp;</div>

<div>2) Apart from locally installed software or configuration (which you are
responsible for and implicitly trust on your own computer), the examples of
man-in-the-middle possibilities you list are ones that are protected by using
https. That is, if I were going to download and verify FreeDOS, I would ensure
that the verification checksums were served over https. When I attempted to
load the checksums over https, if a captive portal intercepted the request, my
browser would inform me that the MiTM doesn&#39;t have a matching certificate
(unless my browser has been specially configured to trust the certificate of
that captive portal, which means either I did it or I&#39;m using some other
organization&#39;s computer and accept the consequences). Additionally, a
gateway cannot inspect or inject content going through https unless the
computer initiating the request is specially configured to trust certificates
created by that gateway, so if one that hasn&#39;t been trusted tries, you get
a browser error just the same. DNS forgery would result in the same -- your
browser would tell you that the server you&#39;re connecting to doesn&#39;t
have a matching certificate. Proxy content injection -- same story. These are
all examples of where user vigilance in ensuring they are getting the
verification information over https protects the user from a MiTM attack. On
the other hand, your browser and extensions you use could indeed modify the
contents of https communcations -- but this is locally installed and configured
software that the user has chosen to trust.</div>

<div>&nbsp;</div>

<div>The certificate system isn&#39;t perfect, but it&#39;s considerably
better than nothing.</div>

<div>&nbsp;
<div name="quote" style="margin:10px 5px 5px 10px; padding: 10px 0 10px 10px;
border-left:2px solid #C3D9E5; word-wrap: break-word; -webkit-nbsp-mode: space;
-webkit-line-break: after-white-space;">
<div style="margin:0 0 10px 0;"><b>Sent:</b>&nbsp;Sunday, January 15, 2017 at
12:43 AM<br/>
<b>From:</b>&nbsp;&quot;Louis Santillan&quot; &lt;lpsan...@gmail.com&gt;<br/>
<b>To:</b>&nbsp;&quot;Discussion and general questions about FreeDOS.&quot;
&lt;freedos-user@lists.sourceforge.net&gt;<br/>
<b>Subject:</b>&nbsp;Re: [Freedos-user] verification checksums should be
served over https</div>

<div name="quoted-content">I would not be lured into a false sense of security
provided by<br/>
browser makers and their insistence that the safest form of browsing<br/>
is over HTTPS. You can still be easily MITM&#39;d with captive portals,<br/>
gateway content inspection/injection, DNS forgery, via proxy content<br/>
injection, your ad blocker or browser extensions profile and probably<br/>
another half dozen easily implemented exploits. Heck, your browser<br/>
can even become part of the MITM exploit.<br/>
<br/>
I&#39;ll intentionally misquote a saying I&#39;ve heard about rules &amp;
law;<br/>
&quot;[Encryption standards] aren&#39;t made to keep the bad guys out;
they&#39;re<br/>
made to keep the good guys in.&quot;<br/>
<br/>
<br/>
On Sat, Jan 14, 2017 at 11:21 AM, shaclacroi
&lt;shaclac...@fastservice.com&gt; wrote:<br/>
&gt; The download page links to checksums at<br/>
&gt; <a href="http://www.freedos.org/download/verify.txt";
target="_blank">http://www.freedos.org/download/verify.txt</a> -- but since
this page isn&#39;t<br/>
&gt; available over https, there&#39;s no way to confirm the validity of
the<br/>
&gt; checksums, since the page could be intercepted and modified by a<br/>
&gt; man-in-the-middle attacker<br/>
&gt; (<a href="https://en.wikipedia.org/wiki/Man-in-the-middle_attack";
target="_blank">https://en.wikipedia.org/wiki/Man-in-the-middle_attack</a>).<br/

&gt;<br/>
&gt; As free secure https certficates are now offered by Let&#39;s
Encrypt<br/>
&gt; (<a href="https://letsencrypt.org/";
target="_blank">https://letsencrypt.org/</a>), it may be advisable to get https
set up for<br/>
&gt; <a href="http://www.freedos.org";
target="_blank">www.freedos.org</a>.<br/>
&gt;<br/>
&gt; Alternatively, as I see your hosted on Amazon Web Services, if you&#39;re
using<br/>
&gt; Elastic Load Balancing or Amazon CloudFront, Amazon&#39;s Certificate
Manager<br/>
&gt; also offers free https certificates.<br/>
&gt;<br/>
&gt; Let me know if I can be of any help.<br/>
&gt;<br/>
&gt;
------------------------------------------------------------------------------<b
/>
&gt; Developer Access Program for Intel Xeon Phi Processors<br/>
&gt; Access to Intel Xeon Phi processor-based developer platforms.<br/>
&gt; With one year of Intel Parallel Studio XE.<br/>
&gt; Training and support from Colfax.<br/>
&gt; Order your platform today. <a href="http://sdm.link/xeonphi";
target="_blank">http://sdm.link/xeonphi</a><br/>
&gt; _______________________________________________<br/>
&gt; Freedos-user mailing list<br/>
&gt; Freedos-user@lists.sourceforge.net<br/>
&gt; <a href="https://lists.sourceforge.net/lists/listinfo/freedos-user";
target="_blank">https://lists.sourceforge.net/lists/listinfo/freedos-user</a><br
>
&gt;<br/>
<br/>
------------------------------------------------------------------------------<
r/>
Developer Access Program for Intel Xeon Phi Processors<br/>
Access to Intel Xeon Phi processor-based developer platforms.<br/>
With one year of Intel Parallel Studio XE.<br/>
Training and support from Colfax.<br/>
Order your platform today. <a href="http://sdm.link/xeonphi";
target="_blank">http://sdm.link/xeonphi</a><br/>
_______________________________________________<br/>
Freedos-user mailing list<br/>
Freedos-user@lists.sourceforge.net<br/>
<a href="https://lists.sourceforge.net/lists/listinfo/freedos-user";
target="_blank">https://lists.sourceforge.net/lists/listinfo/freedos-user</a></d
v>
</div>
</div>
</div>

<div>&nbsp;</div>

<div class="signature">&nbsp;</div></div></body></html>


--===============4246186708895111201==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
--===============4246186708895111201==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Freedos-user mailing list
Freedos-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freedos-user

--===============4246186708895111201==--

--- Internet Rex 2.29
 * Origin: capcity2.synchro.net - 502/875-8938 (1:2320/105.99)

---
 * BgNet 1.0b12 = CCO * KY/US * 502/875-8938 * capcity2.synchro.net
--- Synchronet 3.15a-Linux ListGate 1.3
 *  Capitol City Online - Frankfort, KY - telnet://capitolcityonline.net


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Freedos-user mailing list
Freedos-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freedos-user

Reply via email to